Skip to main content

Cortex XSOAR Content Release Notes for version 21.6.1 (6150503)

Published on 22 June 2021#

Breaking Changes#

The following pack includes breaking changes.

Gurucul Risk Analytics Pack v1.1.0

New: Cyberpion Pack v1.0.0 (Partner Supported)#

Classifiers#

Cyberpion-Classifier#

Classifies Cyberpion alerts.

Cyberpion-Mapper#

Incident Fields#

  • Cyberpion Action item ID
  • Cyberpion Category
  • Cyberpion Domain
  • Cyberpion Impact
  • Cyberpion Solution
  • Cyberpion Summary
  • Cyberpion Technical Details
  • Cyberpion Title
  • Cyberpion Vulnerability Description
  • Cyberpion portal link

Incident Types#

Cyberpion Security Alert

Integrations#

Cyberpion#

The Cyberpion integration enables you to seamlessly receive all your Cyberpion security solution action items and supportive information in Cortex XSOAR.

Layouts#

Cyberpion - Action Item (Available from Cortex XSOAR 6.0.0).

Playbooks#

Cyberpion Domain State#

Enables analysts to get basic information about the domain.

New: Elasticsearch Monitoring Pack v1.0.0#

Dashboards#

Elasticsearch Monitoring#

Widgets#

Elasticsearch Active Nodes#

Elasticsearch total nodes currently in use.

Elasticsearch Nodes Current Usage#

Elasticsearch node current usage (as a percent).

Elasticsearch Active Shards#

Elasticsearch total shards (including replicas) currently active.

Elasticsearch Shards Current Usage#

Elasticsearch shards current usage (as a percent).

Elasticsearch CPU Current Usage#

Elasticsearch CPU current usage (as a percent).

Elasticsearch Disk Current Usage#

Elasticsearch disk current usage (as a percent).

Elasticsearch Free Disk#

Elasticsearch free disk in gigabytes.

Elasticsearch Total Disk Size#

Elasticsearch total disk size in gigabytes.

Elasticsearch Used Disk#

Elasticsearch used disk space in gigabytes.

Elasticsearch Current Total Documents#

Elasticsearch total number of documents in Cortex XSOAR indices.

Elasticsearch Total Documents Over time#

Elasticsearch total number of documents in Cortex XSOAR indexes over time in minutes.

Elasticsearch Failing Nodes#

Elasticsearch total number of nodes that currently failed.

Elasticsearch Failing Shards#

Elasticsearch total number shards (including replicas) that are currently unassigned or failed.

Elasticsearch Current Total Indexes#

Elasticsearch total number of indexes.

Elasticsearch JVM Memory Current Usage#

Elasticsearch JVM memory current usage (as a percent).

Elasticsearch Total Memory#

Elasticsearch total memory in gigabytes.

Elasticsearch Shards Status by Index#

Elasticsearch active indexes distributed by allocated shards and replicas.

Elasticsearch Details#

Elasticsearch cluster details.

New: F5 Silverline Pack v1.0.0#

Classifiers#

F5 Silverline Classifer#
F5 Silverline mapper#

Incident Fields#

  • F5 Silverline Raw Message
  • F5 Silveline Security Policy Name
  • F5 Silverline Action
  • F5 Silverline Action Reason
  • F5 Silverline Alert Generated Timestamp
  • F5 Silverline Alert Type
  • F5 Silverline Attack Signature ID
  • F5 Silverline Attack Signature Name
  • F5 Silverline Attack Type
  • F5 Silverline Backend Server IP
  • F5 Silverline Backend Server Port
  • F5 Silverline Client IP
  • F5 Silverline Client Port
  • F5 Silverline Context Name
  • F5 Silverline Data
  • F5 Silverline Detected Usernames
  • F5 Silverline DOS Attack Latency
  • F5 Silverline DOS Attack TPS
  • F5 Silverline DOS Baseline Latency
  • F5 Silverline DOS Baseline TPS
  • F5 Silverline DOS Detection Threshold
  • F5 Silverline Flow ID
  • F5 Silverline Geo Location Source IP
  • F5 Silverline HTTP Class Name
  • F5 Silverline HTTP Method
  • F5 Silverline HTTP Strings Detected
  • F5 Silverline IP Intelligence Event
  • F5 Silverline IP Intelligence Policy Name
  • F5 Silverline IRule Log Level
  • F5 Silverline IRule Log Type
  • F5 Silverline IRule Name
  • F5 Silverline IRule Version
  • F5 Silverline Message Number
  • F5 Silverline Message Originator Source IP
  • F5 Silverline Message Type
  • F5 Silverline Mitigate Threshold
  • F5 Silverline Proxy ID
  • F5 Silverline Request Side
  • F5 Silverline Request Status
  • F5 Silverline Response Code
  • F5 Silverline Route Domain
  • F5 Silverline SA Translation Pool
  • F5 Silverline SA Translation Type
  • F5 Silverline Security Policy update timestamp
  • F5 Silverline Security Severity
  • F5 Silverline Service ID
  • F5 Silverline SNAT IP
  • F5 Silverline SNAT Port
  • F5 Silverline Staged Signature IDs
  • F5 Silverline Staged Signature Names
  • F5 Silverline Sub Violations
  • F5 Silverline support ID
  • F5 Silverline Targeted URI
  • F5 Silverline Threat identifier
  • F5 Silverline TMM Unit
  • F5 Silverline Translated Dest IP
  • F5 Silverline Translated Dest Port
  • F5 Silverline Translated IP Protocol
  • F5 Silverline Translated Route Domain
  • F5 Silverline Translated Source IP
  • F5 Silverline Translated Source Port
  • F5 Silverline Translated Vlan
  • F5 Silverline Violations Details
  • F5 Silverline Violation Security Support ID
  • F5 Silverline Violations Types
  • F5 Silverline Violation Timestamp
  • F5 Silverline Virtual Server IP
  • F5 Silverline Virtual Server Name
  • F5 Silverline Virtual Server Port
  • F5 Silverline Web Application Name
  • F5 Silverline X-Forwarded

Incident Types#

  • F5 Silverline L7 DDoS Events
  • F5 Silverline Threat Intelligence Events
  • F5 Silverline WAF Events
  • F5 Silverline iRule Events

Integrations#

F5 Silverline#

F5 Silverline Threat Intelligence is a cloud-based service incorporating external IP reputation and reducing threat-based communications. By identifying IP addresses and security categories associated with malicious activity, this managed service integrates dynamic lists of threatening IP addresses with the Silverline cloud-based platform, adding context-based security to policy decisions.

Layouts#

  • F5 Silverline L7 DDoS Events Layout (Available from Cortex XSOAR 6.0.0).
  • F5 Silverline Threat Intelligence Events Layout (Available from Cortex XSOAR 6.0.0).
  • F5 Silverline WAF Events Layout (Available from Cortex XSOAR 6.0.0).
  • F5 Silverline iRule Events Layout (Available from Cortex XSOAR 6.0.0).

New: FireEye Central Management Pack v1.0.0#

Classifiers#

FireEye Central Management - Classifier#

Classifies FireEye Alerts.

Integrations#

FireEye Central Management#

FireEye Central Management (CM Series) is the FireEye threat intelligence hub. It services the FireEye ecosystem, ensuring that FireEye products share the latest intelligence and correlate across attack vectors to detect and prevent cyber attacks.

New: FireEye Common Fields Pack v1.0.0#

Classifiers#

FireEye EX - Incoming Mapper#

Maps FireEye EX alerts.

FireEye NX IPS Alert - Incoming Mapper v2#

Maps FireEye NX IPS alerts.

FireEye NX Alert - Incoming Mapper v2#

Maps FireEye NX alerts.

Incident Fields#

  • FireEye Alert Infection ID
  • FireEye Alert Malicious
  • FireEye Alert Vlan
  • FireEye C2 Address
  • FireEye C2 Channel
  • FireEye C2 Host
  • FireEye C2 Port
  • FireEye C2 Protocol
  • FireEye Domain Name
  • FireEye Download At
  • FireEye Email Queue ID
  • FireEye Email Source Domain
  • FireEye Infection ID
  • FireEye Infection URL
  • FireEye Malware Info
  • FireEye Match Count
  • FireEye Signature
  • FireEye Signature ID
  • FireEye Signature Revision
  • FireEye Submitted At

New: FireEye Email Security (EX) Pack v1.0.0#

Incident Types#

FireEye EX Alert

New: GenerateAsBuilt Pack v1.0.0 (Community Contributed)#

Scripts#

GenerateAsBuilt#

Generate an as-built document, as HTML, based on the running Cortex XSOAR instance. Requires an instance of the Demisto API integration configured.

New: HPE Aruba Clearpass Pack v1.0.0#

Integrations#

HPE Aruba ClearPass#

Aruba ClearPass Policy Manager provides role and device-based network access control for employees, contractors, and guests across any multi-vendor wired, wireless, and VPN infrastructure.

New: JWT Token Generator Pack v1.0.0 (Community Contributed)#

Integrations#

JWT#

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. This integration can be used to generate new JWT tokens, and encode and decode existing ones.

New: Netscout Arbor Edge Defense - AED Pack v1.0.0#

Integrations#

Netscout Arbor Edge Defense#

Use the Netscout Arbor Edge Defense integration to detect and stop both inbound threats and outbound malicious communication from compromised internal devices.

New: Respond Analyst Pack v1.0.0 (Partner Supported)#

Classifiers#

Mandiant Automated Defense Classifier#
Mandiant Automated Defense Incoming Mapper#

Incident Fields#

  • MAD Accounts
  • MAD Asset Criticality
  • MAD Assets
  • MAD Assigned Users
  • MAD Attack Stage
  • MAD Attack Tactic
  • MAD Close URL
  • MAD Description
  • MAD Domains
  • MAD Escalation Reasons
  • MAD Event Count
  • MAD External Systems
  • MAD External Tenant Id
  • MAD Feedback Comments
  • MAD Feedback Outcome
  • MAD Feedback Time Updated
  • MAD Feedback User Id
  • MAD File Hashes
  • MAD First Event Time
  • MAD Incident Id
  • MAD Internal Tenant Id
  • MAD Last Event Time
  • MAD Malware
  • MAD Status
  • MAD Probability
  • MAD Signatures
  • MAD Time Generated
  • MAD URL

Incident Types#

Mandiant Automated Defense Incident

Integrations#

Mandiant Automated Defense (formerly Respond Software)#

Use the Mandiant Automated Defense integration to fetch and update incidents from Mandiant Automated Defense. Mandiant Automated Defense fetches open incidents and updates them every minute. Changes made within Cortex XSOAR are reflected in the Mandiant Automated Defense platform with bi-directional mirroring capabilities enabled.

Layouts#

Mandiant Automated Defense (Available from Cortex XSOAR 6.0.0).

New: SolarWinds Pack v1.0.0#

Classifiers#

SolarWinds#
SolarWinds Alert - Incoming Mapper#

Incoming mapper for SolarWinds Alert.

SolarWinds Event - Incoming Mapper#

Incoming mapper for SolarWinds Event.

Incident Fields#

  • SolarWinds Acknowledged - Whether the alert or event is acknowledged.
  • SolarWinds Active Alert ID - Active ID of the triggered alert.
  • SolarWinds Alert Acknowledged By - Name of the person who acknowledged the alert.
  • SolarWinds Alert Acknowledged Date Time - Timestamp indicating when the alert was acknowledged.
  • SolarWinds Alert Acknowledged Note - Acknowledge note for the alert.
  • SolarWinds Alert Created By - Name of the person who created the alert.
  • SolarWinds Alert Entity Caption - The display name for the triggering object.
  • SolarWinds Alert Entity Details URI - Relative URL for the details view for the triggering object.
  • SolarWinds Alert Entity NetObject ID - NetObject ID of the entity.
  • SolarWinds Alert Entity Type - Type of the object that triggered the alert.
  • SolarWinds Alert Entity URI - URI for the object that triggered the alert.
  • SolarWinds Alert ID - ID of the alert.
  • SolarWinds Alert Name - Name of the alert.
  • SolarWinds Alert Note - Note for the alert.
  • SolarWinds Alert Object ID - Object ID of the triggered alert.
  • SolarWinds Alert Real Entity Type - Type of the real entity.
  • SolarWinds Alert Real Entity URI- URI of the real entity.
  • SolarWinds Alert Reference ID - Unique identifier of the alert.
  • SolarWinds Alert Related Node Caption - Caption of the related node.
  • SolarWinds Alert Related Node Details URL - URL which contains node details.
  • SolarWinds Alert Related Node ID - ID of the related node.
  • SolarWinds Alert Type - Object type of the alert.
  • SolarWinds Description - Description of the alert or event.
  • SolarWinds Display Name- Display name of the alert or event.
  • SolarWinds Event Engine ID - Engine ID of a triggered event.
  • SolarWinds Event ID - Event ID of the triggered event.
  • SolarWinds Event NetObject ID - NetObject ID of a triggered event.
  • SolarWinds Event NetObject Type - NetObject type of a triggered event.
  • SolarWinds Event NetObject Value - NetObject value of a triggered event.
  • SolarWinds Event Type - Name of the type of a triggered event.
  • SolarWinds Instance Site ID - ID of an instance site of which an alert or event is triggered.
  • SolarWinds Instance Type - Instance type of an event.
  • SolarWinds Message - Message of a triggered event or alert.
  • SolarWinds URI - URI of the alert.

Incident Types#

  • SolarWinds Alert
  • SolarWinds Event

Integrations#

SolarWinds#

The SolarWinds integration interacts with the SWIS API to enable you to fetch alerts and events. It also provides commands to retrieve lists of alerts and events.

Layouts#

  • SolarWinds Alert - Summary
  • SolarWinds Event - Summary
  • SolarWinds Alert (Available from Cortex XSOAR 6.0.0).
  • SolarWinds Event (Available from Cortex XSOAR 6.0.0).

New: Thycotic Secret Server Pack v1.0.0 (Partner Supported)#

Integrations#

Thycotic#

Secret Server is the only fully featured Privileged Account Management (PAM) solution available both on premise and in the cloud. It empowers security and IT ops teams to secure and manage all types of privileged accounts and offers the fastest time to value of any PAM solution.

Playbooks#

Example-Thycotic-Folder Operations#

Example for use of the integration REST API Folder object for Thycotic Secret Server.

Example-Thycotic-Retrieved Username and Password#

Example for use of the integration REST API for Thycotic Secret Server. Methods retrieve username and password from the secret server.

Example-Thycotic-Secret Object Operations#

Example for use of the integration REST API Secret object for Thycotic Secret Server.

Example-Thycotic-User object operations#

Example for use of the integration REST API User object for Thycotic Secret Server.

New: TwitterIOCHunter - Full Daily Feed Pack v1.0.0 (Community Contributed)#

Integrations#

TwitterIOCHunter - Full Daily Feed#

Fetch the full daily feed from www.tweettioc.com/v1/tweets/daily/full

ANY.RUN Pack v1.0.3#

Integrations#

ANY.RUN#

Updated the Docker image to: demisto/python3:3.9.5.20958.

APIVoid Pack v1.0.2#

Integrations#

APIVoid#

Updated the Docker image to: demisto/python3:3.9.5.20070.

AWS - EC2 Pack v1.2.3#

Scripts#

AwsEC2GetPublicSGRules#

Updated the Docker image to: demisto/python3:3.9.5.21272.

AWS - GuardDuty Pack v1.1.3#

Integrations#

AWS - GuardDuty#
  • Fixed an issue where the aws-gd-get-members command returned a null value to the context outputs when there were no members in the response.
  • Updated the Docker image to: demisto/boto3:2.0.0.21477.

AWS - Security Hub Pack v1.1.2#

Integrations#

AWS - Security Hub#
  • Fixed an issue where duplicate findings were fetched.
  • Updated the Docker image to: demisto/boto3py3:1.0.0.20921.

AWS Feed Pack v1.1.4#

Integrations#

AWS Feed#

Internal infrastructure improvements.

Abuse.ch SSL Blacklist Feed Pack v1.1.3#

Integrations#

abuse.ch SSL Blacklist Feed#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Accessdata Pack v1.0.1 (Partner Supported)#

Integrations#

Accessdata#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Advanced Filter Pack v1.1.4 (Community Contributed)#

Scripts#

ExtFilter#
  • Fixed an issue where the is updated with operator caused circular references.
  • Fixed an issue where the contains opertator did not work for non-string values.
  • Added the following new operators:
    • in
    • in caseless
    • not in
    • not in caseless
  • Updated the Docker version: demisto/python3:3.9.5.21272.

Agari Phishing Defense Pack v1.0.2 (Partner Supported)#

Integrations#

Agari Phishing Defense#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Alexa Rank Indicator Pack v1.1.3#

Integrations#

Alexa Rank Indicator#

Updated the Docker image to: demisto/python:2.7.18.20958.

AlienVault Feed Pack v1.1.3#

Integrations#

AlienVault Reputation Feed#

Updated the Docker image to: demisto/python3:3.9.5.21272.

AlienVault OTX Pack v1.1.3#

Integrations#

AlienVault OTX v2#

Updated the Docker image to: demisto/python3:3.9.5.21272.

AlienVault USM Anywhere Pack v1.0.3#

Integrations#

AlienVault USM Anywhere#

Updated the Docker image to: demisto/python3:3.9.5.20958.

AlphaVantage Pack v1.0.1 (Community Contributed)#

Integrations#

AlphaVantage#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Analyst1 Pack v1.0.9 (Partner Supported)#

Integrations#

Analyst1#

Updated the Docker image to: demisto/python3:3.9.5.20070.

Playbooks#

Illuminate Integration Demonstration#

Documentation and metadata improvements.

Anomali Enterprise Pack v1.0.3#

Integrations#

Anomali Match#

Updated the Docker image to: demisto/python3:3.9.5.20958.

ArcSight ESM Pack v1.1.1#

Integrations#

ArcSight ESM v2#

Updated the Docker image to: demisto/python:2.7.18.20958.

ArcSight Logger Pack v1.0.4#

Integrations#

ArcSight Logger#

Fixed an issue where a successful logout would return the "logout failed" message for some versions of ArcSight Logger.

Armis Pack v1.0.2#

Integrations#

Armis#
  • Fixed an issue where duplicate incidents were fetched.
  • Updated the Docker image to: demisto/python3:3.9.5.20958.

Atlassian IAM Pack v1.0.2#

Integrations#

Atlassian IAM#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Atlassian Jira Pack v1.3.4#

Integrations#

Atlassian Jira v2#

Added the following arguments to the jira-edit-issue and ira-create-issue commands:

  • components
  • security
  • environment

AutoFocus Pack v1.3.3#

Integrations#

Palo Alto Networks AutoFocus v2#

Updated the Docker image to: demisto/python3:3.9.5.21272.

AutoFocus Feed#

Updated the Docker image to: demisto/python3:3.9.5.21272.

AutoFocus Daily Feed#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Awake Security Pack v1.0.2#

Integrations#

Awake Security#

Updated the Docker image to: demisto/python:2.7.18.20958.

Azure Feed Pack v1.0.5#

Integrations#

Azure Feed#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Bambenek Consulting Feed Pack v1.1.3#

Integrations#

Bambenek Consulting Feed#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Base Pack v1.12.12#

Scripts#

DBotMLFetchData#

Documentation and metadata improvements.

SanePdfReports#
  • 6.2 includes the following functionality changes for reports, dashboards, and widgets:
    • Support the option to force print the full height for long widget tables and charts.
    • Responsive axis.
    • Label axis.
    • Support duration formats.
    • Support hiding 'Others' group.
    • New empty state showing no results returned.
    • Show borders.
    • Show the reference line.
    • Support date formatting.
  • Multiple bug fixes
    • The legend order.
    • Show/Hide the legend.
    • Auto page widget breaks.
    • Labels and layout fixes.
  • Documentation and metadata improvements.
  • Updated the Docker image to: demisto/sane-pdf-reports:1.0.0.20952.
DBotSuggestClassifierMapping#

Documentation and metadata improvements.

SaneDocReports#

Documentation and metadata improvements.

CommonServerPython#
  • Added the support_multithreading function that adds locking on the calls to the Cortex XSOAR server from the Demisto object.
  • Maintenance and stability enhancements.
CommonServer#
  • Fixed an issue where the isIPInSubnet method failed to detect the 0.0.0.0 IP address as part of its subnet.
  • Added the following methods to compare Cortex XSOAR server versions:
    • getDemistoVersion
    • isDemistoVersionGE
  • Added the following methods to support versioned integration cache.

    • getVersionedIntegrationContext

    • setVersionedIntegrationContext

      (Available from Cortex XSOAR version 6.2.0).

DBotTrainClustering#

Maintenance and stability enhancements.

BeyondTrust Password Safe Pack v1.0.4#

Integrations#

BeyondTrust Password Safe#

Updated the Docker image to: demisto/python3:3.9.5.20070.

BitSight Pack v1.0.4 (Partner Supported)#

Integrations#

BitSight for Security Performance Management#

Updated the Docker image to: demisto/python3:3.9.5.20070.

BitcoinAbuse Feed Pack v1.0.6#

Integrations#

BitcoinAbuse Feed#

Updated the Docker image to: demisto/python3:3.9.5.21272.

BlockList DE Feed Pack v1.1.3#

Integrations#

Blocklist_de Feed#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Bluecat Address Manager Pack v1.0.3#

Integrations#

Bluecat Address Manager#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Blueliv ThreatCompass Pack v1.0.2 (Community Contributed)#

Integrations#

Blueliv ThreatCompass#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Blueliv ThreatContext Pack v1.0.1 (Community Contributed)#

Integrations#

Blueliv ThreatContext#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Bmc Helix Remedyforce Pack v1.0.5#

Scripts#

BMCHelixRemedyforceCreateIncident#

Updated the Docker image to: demisto/python3:3.9.5.20958.

BMCHelixRemedyforceCreateServiceRequest#

Updated the Docker image to: demisto/python3:3.9.5.20958.

BruteForce Feed Pack v1.1.3#

Integrations#

BruteForceBlocker Feed#

Updated the Docker image to: demisto/python3:3.9.5.21272.

CIRCL Pack v1.0.1#

Integrations#

CIRCL#

Updated the Docker image to: demisto/python:2.7.18.20958.

CVE Search Pack v1.0.5#

Scripts#

cveLatest#

Documentation and metadata improvements.

cveSearch#

Documentation and metadata improvements.

Carbon Black Cloud Enterprise EDR Pack v1.1.4#

Integrations#

VMware Carbon Black Enterprise EDR#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Carbon Black Endpoint Standard Pack v3.0.1#

Integrations#

New: Carbon Black Live Response Cloud#

Allows security operators to collect information and take action on remote endpoints in real time. These actions include the ability to upload, download, and remove files, retrieve and remove registry entries, dump contents of physical memory, and execute and terminate processes. (Available from Cortex XSOAR 5.5.0).

Carbon Black Endpoint Standard#

Fixed a broken link in the description.

Carbon Black Endpoint Standard v2#

Maintenance and stability enhancements.

Carbon Black Enterprise Protection Pack v1.0.6#

Integrations#

VMware Carbon Black App Control v2#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Check Point Firewall Pack v2.0.10#

Integrations#

CheckPoint Firewall v2#
  • Improved the error handling in the test-module command.
  • Fixed an issue where the checkpoint-show-objects command failed because of changes in the API version.
  • Updated the Docker image to: demisto/python3:3.9.5.21272.

Chronicle Pack v2.0.1 (Partner Supported)#

Scripts#

ChronicleAssetEventsForHostnameWidgetScript#

Updated the Docker image to: demisto/python3:3.9.5.20958.

ChronicleAssetEventsForIPWidgetScript#

Updated the Docker image to: demisto/python3:3.9.5.20958.

ChronicleAssetEventsForMACWidgetScript#

Updated the Docker image to: demisto/python3:3.9.5.20958.

ChronicleAssetEventsForProductIDWidgetScript#

Updated the Docker image to: demisto/python3:3.9.5.20958.

ChronicleAssetIdentifierScript#

Updated the Docker image to: demisto/python3:3.9.5.20958.

ChronicleDBotScoreWidgetScript#

Updated the Docker image to: demisto/python3:3.9.5.20958.

ChronicleDomainIntelligenceSourcesWidgetScript#

Updated the Docker image to: demisto/python3:3.9.5.20958.

ChronicleIsolatedHostnameWidgetScript#

Updated the Docker image to: demisto/python3:3.9.5.20958.

ChronicleIsolatedIPWidgetScript#

Updated the Docker image to: demisto/python3:3.9.5.20958.

ChronicleListDeviceEventsByEventTypeWidgetScript#

Updated the Docker image to: demisto/python3:3.9.5.20958.

ChroniclePotentiallyBlockedIPWidgetScript#

Updated the Docker image to: demisto/python3:3.9.5.20958.

ConvertDomainToURLs#

Updated the Docker image to: demisto/python3:3.9.5.20958.

ExtractDomainFromIOCDomainMatchRes#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Cisco ASA Pack v1.0.7#

Integrations#

Cisco ASA#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Cisco Email Security (Beta) Pack v1.0.3#

Integrations#

Cisco Email Security (beta)#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Cisco ISE Pack v1.0.3#

Integrations#

Cisco ISE#

Updated the Docker image to: demisto/python3:3.9.5.20070.

Cisco Secure Cloud Analytics (Stealthwatch Cloud) Pack v1.0.5#

Integrations#

Cisco Secure Cloud Analytics (Stealthwatch Cloud)#

Updated the Docker image to: demisto/python:2.7.18.20958.

Cisco Threat Grid Pack v1.2.4#

Integrations#

Cisco Secure Malware Analytics Feed#

Updated the Docker image to: demisto/python3:3.9.5.20070.

Cisco Umbrella Enforcement Pack v1.0.1#

Integrations#

Cisco Umbrella Enforcement#

Updated the Docker image to: demisto/python3:3.9.5.20958.

CiscoFirepower Pack v1.0.5#

Integrations#

Cisco Firepower#

Updated the Docker image to: demisto/python3:3.9.5.20070.

Claroty Pack v1.0.9 (Partner Supported)#

Integrations#

Claroty#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Cloudflare Feed Pack v1.1.3#

Integrations#

Cloudflare Feed#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Cofense Feed Pack v1.0.7#

Integrations#

Cofense Feed#

Updated the Docker image to: demisto/python3:3.9.5.20070.

Common Dashboards Pack v1.1.0#

Dashboards#

New: Troubleshooting Playbooks#

(Available from Cortex XSOAR 6.2.0).

New: Cost Optimization Instances#

(Available from Cortex XSOAR 6.2.0).

New: Cost Optimization Playbooks#

(Available from Cortex XSOAR 6.2.0).

New: Troubleshooting Instances#

(Available from Cortex XSOAR 6.2.0).

Common Scripts Pack v1.3.62#

Scripts#

PCAPMiner#

Documentation and metadata improvements.

GetDuplicatesMlv2#

Documentation and metadata improvements.

ExtractEmailV2#
  • Fixed an issue where some special characters didn't exist in the email regex.
  • Updated the Docker image to: demisto/python3:3.9.5.20958.
MatchRegexV2#
  • Documentation and metadata improvements.
  • Updated the Docker image to: demisto/python3:3.9.5.21272.
New: JsonToTable#

A transformer that accepts a JSON object and returns a markdown. (Available from Cortex XSOAR 5.5.0).

VerifyIPv6Indicator#
  • Fixed an issue where the script did not drop indicators as expected.
  • Updated the Docker image to: demisto/python3:3.9.5.21272.
SetByIncidentId#

Added the errorUnfinished argument. If set to true, the script will return an error if not all the incidents were modified.

ParseEmailFiles_SMIME_FIX#

Fixed an issue where the script would not parse SMIME files.

EmailAskUserResponse#

Fixed an issue where responses with \r characters were not handled properly.

Common Types Pack v3.1.1#

Incident Fields#

  • Title
  • Alert Acknowledgement
  • Alert Action
  • Alert Attack Time
  • Alert Malicious
  • Alert URL
  • Appliance ID
  • Appliance Name
  • Attack Mode
  • Destination MAC Address
  • File Name
  • File Path
  • Sensor IP
  • Sensor Name
  • Signature
  • Source MAC Address
  • Incident Link
  • Vendor Product
  • UUID

Indicator Fields#

Indicator Types#

Layouts#

  • Report - Changed the layout name from STIX Report to Report.
  • Attack Pattern - Changed the layout name from STIX Attack Pattern to Attack Pattern.
  • Tool - Changed the layout name from STIX Tool to Tool.
  • Threat Actor - Changed the layout name from STIX Threat Actor to Threat Actor.
  • Malware - Changed the layout name from STIX Malware to Malware.

Common Widgets Pack v1.1.1#

Widgets#

New: Command executions per Integration Category#

(Available from Cortex XSOAR 6.2.0).

New: Executions by status per Manual Tasks (top 5)#

(Available from Cortex XSOAR 6.2.0).

New: Command execution errors per Integration Category#

(Available from Cortex XSOAR 6.2.0).

New: Command execution type#

(Available from Cortex XSOAR 6.2.0).

New: Top executed Commands#

(Available from Cortex XSOAR 6.2.0).

New: Average runtime per Automation (top 5)#

(Available from Cortex XSOAR 6.2.0).

New: Average runtime by Incident Type per Playbook (top 5)#

(Available from Cortex XSOAR 6.2.0).

New: Command executions errors#

(Available from Cortex XSOAR 6.2.0).

New: Task execution errors#

(Available from Cortex XSOAR 6.2.0).

New: Least executed Commands per Instance#

(Available from Cortex XSOAR 6.2.0).

New: Average runtime by Instance per Command (top 5)#

(Available from Cortex XSOAR 6.2.0).

New: Command execution errors per Instance#

(Available from Cortex XSOAR 6.2.0).

New: Errors by Incident Type per Command (top 5)#

(Available from Cortex XSOAR 6.2.0).

New: Playbook run errors#

(Available from Cortex XSOAR 6.2.0).

New: Task executions#

(Available from Cortex XSOAR 6.2.0).

New: Playbook runs#

(Available from Cortex XSOAR 6.2.0).

New: Average runtime per Playbook (top 5)#

(Available from Cortex XSOAR 6.2.0).

New: Command average runtime per Instance (top 5)#

(Available from Cortex XSOAR 6.2.0).

New: Top Users Closed Manual Tasks#

(Available from Cortex XSOAR 6.2.0).

New: Failed Playbooks runs#

(Available from Cortex XSOAR 6.2.0).

New: Command executions per Incident Type#

(Available from Cortex XSOAR 6.2.0).

New: Least executed Commands#

(Available from Cortex XSOAR 6.2.0).

New: Manual Command execution errors (top 5)#

(Available from Cortex XSOAR 6.2.0).

New: Executions by status per Automated Tasks (top 5)#

(Available from Cortex XSOAR 6.2.0).

New: Commands executed#

(Available from Cortex XSOAR 6.2.0).

New: Failed Automation executions per Incident Types (top 5)#

(Available from Cortex XSOAR 6.2.0).

New: Failed Manual Tasks#

(Available from Cortex XSOAR 6.2.0).

New: Average runtime for Playbooks#

(Available from Cortex XSOAR 6.2.0).

New: Command execution errors#

(Available from Cortex XSOAR 6.2.0).

Malicious Indicators Activity by Type#

Fixed an issue where the time resolution value was missing.

Confluera Pack v1.0.1 (Partner Supported)#

Integrations#

Confluera#

Updated the Docker image to: demisto/python3:3.9.5.20958.

CrowdStrike Falcon Pack v1.2.18#

Integrations#

CrowdStrike Falcon#

Updated the Docker image to: demisto/python3:3.9.5.21272.

CrowdStrike FalconX Pack v1.1.2#

Integrations#

CrowdStrike Falcon X#

Updated the Docker image to: demisto/python3:3.9.5.20070.

CrowdStrike Malquery Pack v1.0.3#

Integrations#

CrowdStrike Malquery#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Crowdstrike Falcon Intel Feed Pack v2.0.2#

Integrations#

CrowdStrike Falcon Intel Feed Actors#
  • Added support for reset last run for Cortex XSOAR version 6.2.
  • Updated the Docker image to: demisto/python3:3.9.5.21272.
CrowdStrike Indicator Feed#

Updated the Docker image to: demisto/python3:3.9.5.20958.

CyberTotal Pack v1.0.5 (Partner Supported)#

Integrations#

CyberTotal#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Cyberint Pack v1.0.7 (Partner Supported)#

Integrations#

Cyberint#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Cymptom Pack v1.0.3 (Partner Supported)#

Integrations#

Cymptom#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Cymulate Pack v2.0.4 (Partner Supported)#

Integrations#

Cymulate#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Cyren Threat InDepth Threat Intelligence Pack v1.5.4 (Partner Supported)#

Integrations#

Cyren Threat InDepth Threat Intelligence Feed#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Scripts#

CyrenCountryLookup#

Updated the Docker image to: demisto/python3:3.9.5.21272.

CyrenThreatInDepthRandomHunt#

Updated the Docker image to: demisto/python3:3.9.5.21272.

CyrenThreatInDepthRelatedWidget#

Updated the Docker image to: demisto/python3:3.9.5.21272.

CyrenThreatInDepthRelatedWidgetQuick#

Updated the Docker image to: demisto/python3:3.9.5.21272.

CyrenThreatInDepthRenderRelated#

Updated the Docker image to: demisto/python3:3.9.5.21272.

DShield Feed Pack v1.1.3#

Integrations#

DShield Feed#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Darktrace Pack v1.0.4 (Partner Supported)#

Integrations#

Darktrace#

Updated the Docker image to: demisto/python3:3.9.5.21272.

DeepInstinct Pack v1.0.6 (Partner Supported)#

Integrations#

Deep Instinct#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Demisto Lock Pack v1.0.1#

Integrations#

Demisto Lock#

Added support for working with versioned integration cache. (Available from Cortex XSOAR version 6.2.0).

Demisto REST API Pack v1.1.3#

Scripts#

DemistoUploadFile#

Documentation and metadata improvements.

Deprecated Content Pack v1.6.11#

Scripts#

VectraTriage#

Documentation and metadata improvements.

ParseEmailFile#

Updated the Docker image to: demisto/python:2.7.18.20958.

Developer Tools Pack v1.1.3#

Integrations#

XSOAR Powershell Testing#
  • Added support for cache to be updated automatically on token expiration.
  • Updated the Docker image to: demisto/powershell-ubuntu:7.1.3.20650.

Scripts#

VerifyContextFields#

Documentation and metadata improvements.

VerifyContext#

Documentation and metadata improvements.

SetContext#

Documentation and metadata improvements.

WhileLoop#

Documentation and metadata improvements.

StringContains#

Documentation and metadata improvements.

Druva Ransomware Response Pack v1.0.1 (Partner Supported)#

Integrations#

Druva Ransomware Response#

Updated the Docker image to: demisto/python3:3.9.5.20070.

EWS Pack v1.8.22#

Integrations#

EWS O365#
  • Fixed an issue where the fetch-incidents process failed to decode emails due to an incorrect encoding format.
  • Updated the Docker image to: demisto/py3ews:1.0.0.20520.

Scripts#

BuildEWSQuery#

Added the escapeColons argument in order to escape colons in the generated query.

Email Communication Pack v1.3.9#

Classifiers#

New: MicrosoftGraphMailSingleUser-EmailCommunication#

Maps incoming MS Graph Mail Single user email message fields. (Available from Cortex XSOAR 5.5.0 to 5.9.9).

New: MS Graph Mail Single User - Classifier - Email Communication#

Classifies MS Graph Mail Single user email messages. (Available from Cortex XSOAR 6.0.0).

Mappers#

New: MS Graph Mail Single User - Incoming Mapper - Email Communication#

Maps incoming MS Graph Mail Single user email message fields (Available from Cortex XSOAR 6.0.0).

Scripts#

PreprocessEmail#

Updated the Docker image to: demisto/python3:3.9.5.20958.

SendEmailReply#

Updated the Docker image to: demisto/python3:3.9.5.20958.

EmailRepIO Pack v1.0.2#

Integrations#

EmailRep.io#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Endace Pack v1.1.4 (Partner Supported)#

Integrations#

Endace#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Playbooks#

Endace Search Archive and Download#

Documentation and metadata improvements.

Expanse (Deprecated) Pack v1.2.1 (Partner Supported)#

Scripts#

ExpanseParseRawIncident#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Expanse v2 Pack v1.5.1#

Integrations#

Expanse v2#
  • Added support for the Cloud resources asset type in the following commands.
    • expanse-assign-pocs-to-asset
    • expanse-unassign-pocs-from-asset
    • expanse-assign-tags-to-asset
    • expanse-unassign-pocs-from-asset
  • Added the expanse-get-cloud-resource command to fetch a Cloud Resource.
  • Updated the Docker image to: demisto/python3:3.9.5.20070.

Scripts#

ExpanseRefreshIssueAssets#
  • Added a case statement for refreshing cloud resource data.
  • Updated the Docker image to demisto/python3:3.9.5.20070.

Export Indicators Pack v1.0.9#

Integrations#

Export Indicators Service#
  • New: Support for using NGINX as a front-end reverse proxy. NGINX now runs within the Docker container and handles caching and direct handling of incoming requests.
  • Updated the Docker image to: demisto/flask-nginx:1.0.0.20328.

Farsight DNSDB Pack v2.1.4 (Partner Supported)#

Integrations#

Farsight DNSDB v2#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Fastly Feed Pack v1.1.4#

Integrations#

Fastly Feed#

Internal infrastructure improvements.

FeodoTracker Feed Pack v1.1.4#

Integrations#

Feodo Tracker IP Blocklist Feed#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Fetch Indicators From File Pack v1.0.3#

Scripts#

FetchIndicatorsFromFile#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/xlrd-py3:1.0.0.21492.

Fidelis Elevate Network Pack v1.0.3#

Integrations#

Fidelis Elevate Network#

Updated the Docker image to: demisto/python:2.7.18.20958.

FireEye ETP Pack v1.0.3#

Integrations#

FireEye ETP#

Updated the Docker image to: demisto/python:2.7.18.20958.

FireEye Feed Pack v2.0.1#

Integrations#

FireEye Feed#

Updated the Docker image to: demisto/python3:3.9.5.20958.

FireEye HX Pack v1.0.15#

Integrations#

FireEye HX#

Fixed an issue where the fireeye-hx-host-containment command failed using API v3.

FireEye Network Security (NX) Pack v1.0.3#

Incident Types#

Integrations#

FireEye NX#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Flashpoint Pack v1.1.4 (Partner Supported)#

Integrations#

Flashpoint#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Forescout Pack v1.0.4#

Integrations#

Forescout#

Updated the Docker image to: demisto/python3:3.9.5.21272.

FortiGate Pack v1.0.2#

Integrations#

FortiGate#

Maintenance and stability enhancements.

FraudWatch PhishPortal Pack v1.0.3#

Integrations#

FraudWatch#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Freshdesk Pack v1.0.4#

Integrations#

Freshdesk#

Updated the Docker image to: demisto/python:2.7.18.20958.

Gamma Pack v1.0.1 (Partner Supported)#

Integrations#

Gamma#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Genians Pack v1.0.4 (Partner Supported)#

Integrations#

Genians#

Updated the Docker image to: demisto/python3:3.9.5.20070.

Get License ID Pack v1.0.2#

Scripts#

GetLicenseID#

Updated the Docker image to: demisto/python3:3.9.5.20958.

GetServerURL Pack v1.0.1#

Scripts#

GetServerURL#

Updated the Docker image to: demisto/python3:3.9.5.20958.

GitHub Pack v1.2.10#

Integrations#

GitHub IAM#

Updated the Docker image to: demisto/python3:3.9.5.20958.

GitHub#

Added the GitHub-create-release command.

Google Safe Browsing Pack v2.0.2#

Integrations#

Google Safe Browsing v2#

Updated the Docker image to: demisto/python3:3.9.5.20958.

GreatHorn Pack v1.0.1 (Partner Supported)#

Integrations#

GreatHorn#

Updated the Docker image to: demisto/python3:3.9.5.20070.

Group-IB Threat Intelligence & Attribution Pack v1.0.2 (Partner Supported)#

Integrations#

Group-IB Threat Intelligence & Attribution#
  • Added instructions for the creation of the pre-processing rule.
  • Updated the Docker image to: demisto/python3:3.9.5.20958.
Group-IB Threat Intelligence & Attribution Feed#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Scripts#

New: GIBIncidentUpdate#

This script prevents duplication of existing incidents.

Gurucul Risk Analytics Pack v1.1.0 (Partner Supported)#

Integrations#

Gurucul-GRA#
  • Breaking Change: Changed the gra-fetch-users-details command output from Gra.User.joinDate to Gra.User.joiningDate.
  • Added the following commands:
    • gra-case-action: Closes a case and updates the anomaly status as Closed / Risk Managed / Model Reviewed.
    • gra-case-action-anomaly: Closes an anomaly/anomalies within a case and updates the anomaly status as Closed / Risk Managed / Model Reviewed.
    • gra-investigate-anomaly-summary: Retrieves an anomaly detailed summary.
  • Updated the Docker image to: demisto/python3:3.9.5.21272.

Hello World IAM Pack v1.0.4#

Integrations#

Hello World IAM#

Updated the Docker image to: demisto/python3:3.9.5.20958.

HostIo Pack v1.0.1#

Integrations#

HostIo#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Humio Pack v1.0.6 (Partner Supported)#

Integrations#

Humio#

Updated the Docker image to: demisto/python3:3.9.5.20958.

IBM QRadar Pack v2.0.11#

Integrations#

IBM QRadar v3#

Fixed an issue where the events_limit integration parameter raised an error if it was not set and did not use its default value.

Scripts#

QRadarFullSearch#

Documentation and metadata improvements.

QRadarClassifier#

Documentation and metadata improvements.

IBM X-Force Exchange Pack v1.1.4#

Integrations#

IBM X-Force Exchange v2#

Updated the Docker image to: demisto/python3:3.9.5.21272.

IPQualityScore (IPQS) Threat Risk Scoring Pack v1.0.2 (Partner Supported)#

Integrations#

IPQualityScore#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Illusive Networks Pack v1.0.9 (Partner Supported)#

Integrations#

IllusiveNetworks#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Imperva WAF Pack v1.0.2#

Integrations#

Imperva WAF#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Impossible Traveler Pack v1.2.3#

Playbooks#

Impossible Traveler#

Maintenance and stability enhancements.

Indeni Pack v1.0.9 (Partner Supported)#

Integrations#

Indeni#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Infoblox Pack v1.0.4#

Integrations#

Infoblox#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Integrations & Incidents Health Check Pack v1.1.19#

Scripts#

CopyLinkedAnalystNotes#

Updated the Docker image to: demisto/python3:3.9.5.20958.

GetFailedTasks#

Updated the Docker image to: demisto/python3:3.9.5.20958.

IncidentsCheck-NumberofIncidentsNoOwner#

Updated the Docker image to: demisto/python3:3.9.5.20958.

IncidentsCheck-NumberofIncidentsWithErrors#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Intel471 Feed Pack v2.0.0 (Partner Supported)#

Integrations#

Intel471 Malware Feed (Deprecated)#

Deprecated. Use Intel471 Malware Indicator Feed instead.

New: Intel471 Malware Indicator Feed#
  • Intel471's Malware Intelligence is focused on the provisioning of a high fidelity and timely indicators feed with rich context, TTP information, and malware intelligence reports.
  • Added support for relations between indicators.

IronNet Pack v1.1.5 (Partner Supported)#

Integrations#

IronDefense#

Updated the Docker image to: demisto/python3:3.9.5.20958.

JSON Feed Pack v1.1.4#

Integrations#

JSON Feed#

Internal infrastructure improvements.

Jask Pack v1.0.1#

Integrations#

Jask#

Updated the Docker image to: demisto/python:2.7.18.20958.

Joe Security Pack v1.0.5#

Integrations#

Joe Security#

Fixed an issue where the joe-analysis-submit-sample command failed when a file with a backslash in its name was submitted.

Lastline Pack v1.0.7#

Integrations#

Lastline v2#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Linkshadow Pack v1.0.2 (Partner Supported)#

Integrations#

Linkshadow#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/python3:3.9.5.20958.

LogPoint SIEM Integration Pack v1.2.0 (Partner Supported)#

Integrations#

LogPoint SIEM Integration#
  • Added 7 commands:
    • lp-get-users-preference
    • lp-get-logpoints
    • lp-get-repos
    • lp-get-devices
    • lp-get-livesearches
    • lp-get-searchid
    • lp-search-logs
  • Added the content pack's README file.
  • Updated the Docker image to: demisto/python3:3.9.5.20070.

Looker Pack v1.0.3#

Integrations#

Looker#

Updated the Docker image to: demisto/python3:3.9.5.21272.

MISP Pack v1.0.11#

Integrations#

MISP v2#

Added the warninglists argument to the following commands:

  • misp-search
  • misp-search-attributes

Scripts#

misp_upload_sample#

Documentation and metadata improvements.

misp_download_sample#

Documentation and metadata improvements.

MITRE ATT&CK v2 Pack v1.0.1#

Dashboards#

MITRE ATT&CK v2#

Maintenance and stability enhancements.

MailListener - POP3 (Beta) Pack v1.0.3#

Integrations#

MailListener - POP3 Beta#

Updated the Docker image to: demisto/python:2.7.18.20958.

Maltiverse Pack v1.0.4#

Integrations#

Maltiverse#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Malware Pack v1.2.9#

Incident Fields#

  • Malware Name - Assign to FireEye incident types.
  • Parent Process ID - Stability enhancements.

Manage Engine Service Desk Plus (On-Premise) Pack v1.0.3#

Integrations#

Service Desk Plus (On-Premise) (Deprecated)#

Updated the Docker image to: demisto/python3:3.9.5.21272.

McAfee Advanced Threat Defense Pack v1.0.6#

Integrations#

McAfee Advanced Threat Defense#

Updated the Docker image to: demisto/python:2.7.18.20958.

McAfee ESM Pack v1.1.7#

Integrations#

McAfee ESM v2#
  • Fixed an issue where the event list of a case was deleted when running the esm-edit-case command.
  • Updated the Docker image to: demisto/python3:3.9.5.20958.

McAfee ESM v10 and v11 Pack v1.0.7#

Integrations#

McAfee ESM v10 and v11 (Deprecated)#

Updated the Docker image to: demisto/python:2.7.18.20958.

Microsoft 365 Defender Pack v1.0.1#

Integrations#

Microsoft 365 Defender (Beta)#

Updated link in the integration's description to point to xsoar.pan.dev document.

Microsoft Cloud App Security Pack v1.0.19#

Integrations#

Microsoft Cloud App Security#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Microsoft Graph Mail Single User Pack v1.0.17#

Integrations#

Microsoft Graph Mail Single User#
  • Fixed an issue where embedded images could not be referenced from the email body.
  • Added the reply-mail command: Replies to an email using Graph Mail.
  • Updated the Docker image to: demisto/crypto:1.0.0.19032.

Microsoft Teams Pack v1.1.11#

Integrations#

Microsoft Teams#

Added a lock on the calls to the Cortex XSOAR server from the Demisto object to improve the parallel calls to it.

Scripts#

MicrosoftTeamsAsk#

Updated the Docker image to: demisto/python3:3.9.5.21272.

MobileIron-UEM Pack v1.0.3 (Partner Supported)#

Integrations#

MobileIronCLOUD#

Updated the Docker image to: demisto/python3:3.9.5.20958.

MobileIronCORE#

Updated the Docker image to: demisto/python3:3.9.5.20958.

ModulesManagement Pack v1.0.1#

Scripts#

GetInstances#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Netscout Arbor Edge Defense - AED Pack v1.0.2#

Integrations#

Netscout Arbor Edge Defense#
  • Documentation and metadata improvements.
  • Updated the Docker image to: demisto/python3:3.9.5.20958.

Netscout Arbor Sightline Pack v1.0.2#

Integrations#

Netscout Arbor Sightline (Peakflow)#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Nutanix Hypervisor Pack v1.0.2#

Integrations#

Nutanix Hypervisor#

Updated the Docker image to: demisto/python3:3.9.5.20958.

OpenPhish Pack v2.0.3#

Integrations#

OpenPhish v2#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Orca Pack v1.0.5 (Partner Supported)#

Integrations#

Orca#

Updated the Docker image to: demisto/python3:3.9.5.20958.

PAN-OS Pack v1.6.19#

Incident Fields#

  • CVE List
  • Target

Incident Types#

PanoramaThreatCoverage

Layouts#

PanoramaThreatCoverage

Layouts Containers#

Panorama Threat Coverage Layout

Playbooks#

New: NetOps Panorama coverage by CVE#

Finds if there is signature coverage for a specific CVE. (Available from Cortex XSOAR 5.0.0).

Scripts#

New: PanoramaCVECoverage#

Checks coverage given a list of CVEs. (Available from Cortex XSOAR 5.0.0).

PAN-OS to Cortex Data Lake Monitoring Pack v1.0.5 (Community Contributed)#

Scripts#

PANOStoCortexDataLakeMonitoring#

Updated the Docker image to: demisto/python3:3.9.5.20958.

PANW Comprehensive Investigation Pack v1.3.6#

Scripts#

PanwIndicatorCreateQueries#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Palo Alto Networks BPA Pack v1.2.6#

Integrations#

Palo Alto Networks BPA#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Palo Alto Networks Cortex XDR - Investigation and Response Pack v3.0.16#

Integrations#

Palo Alto Networks Cortex XDR - Investigation and Response#
  • Added the following fields to the xdr-get-incident-extra-data command context outputs.
    • mitre_techniques_ids_and_names
    • mitre_tactics_ids_and_names
  • The argument severity in te xdr-insert-parsed-alert command will now have Medium as the default value.
  • Added support for multiple file paths in the following commands:
    • xdr-run-script-file-exists
    • xdr-run-script-delete-file
  • Added support for multiple processes names in the *xdr-run-script-kill-process command.
  • Added support for multiple action IDs in the following commands:
    • xdr-get-script-execution-status
    • xdr-get-script-execution-results
  • Updated the Docker image to: demisto/python3:3.9.5.21272.

Playbooks#

New: Cortex XDR - delete file#

Initiates a new endpoint script execution to delete the specified file and retrieves the results. (Available from Cortex XSOAR 5.5.0).

New: Cortex XDR - Execute snippet code script#

Initiates a new endpoint script execution action using the provided snippet code and retrieves the file results. (Available from Cortex XSOAR 5.5.0).

New: Cortex XDR - check file existence#

Initiates a new endpoint script execution to check if the file exists and retrieves the results. (Available from Cortex XSOAR 5.5.0).

New: Cortex XDR - Run script#

Initiates a new endpoint script execution action using a provided script unique ID from the Cortex XDR script library. (Available from Cortex XSOAR 5.5.0).

New: Cortex XDR - kill process#

Initiates a new endpoint script execution kill process and retrieves the results. (Available from Cortex XSOAR 5.5.0).

New: Cortex XDR - Execute commands#

Initiates a new script execution of shell commands. (Available from Cortex XSOAR 5.5.0).

Cortex XDR - Retrieve File Playbook#

Added a generic file path playbook input.

Cortex XDR - Check Action Status#

Added a playbook input for action status polling timeout.

Scripts#

XDRSyncScript#

Documentation and metadata improvements.

Palo Alto Networks IoT Pack v1.0.3#

Integrations#

Palo Alto Networks IoT#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Palo Alto Networks PAN-OS EDL Service Pack v2.0.5#

Integrations#

Palo Alto Networks PAN-OS EDL Service#

The integration now uses NGINXApiModule.

Palo Alto Networks WildFire Pack v1.3.5#

Integrations#

Palo Alto Networks WildFire v2#

Updated the Docker image to: demisto/python3:3.9.5.20958.

PassiveTotal Pack v2.0.9 (Partner Supported)#

Scripts#

PTEnrich#

Documentation and metadata improvements.

Pentera Pack v1.0.4 (Partner Supported)#

Scripts#

PenteraDynamicTable#

Updated the Docker image to: demisto/python3:3.9.5.20958.

PenteraOperationToIncident#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Perch Pack v1.0.4#

Integrations#

Perch#

Updated the Docker image to: demisto/python3:3.9.5.21272.

PhishLabs Pack v1.0.3#

Integrations#

PhishLabs IOC#

Updated the Docker image to: demisto/python3:3.9.5.21272.

PhishLabs IOC DRP#

Updated the Docker image to: demisto/python3:3.9.5.21272.

PhishLabs IOC EIR#

Updated the Docker image to: demisto/python3:3.9.5.21272.

PhishTank Pack v2.0.7#

Integrations#

PhishTank v2#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Phishing Pack v2.2.3#

Incident Fields#

Scripts#

CheckEmailAuthenticity#

Updated the Docker image to: demisto/python:2.7.18.20958.

Phishing Campaign Pack v2.0.5#

Scripts#

FindEmailCampaign#
  • Removed the following titles from the script readable outputs:
    • emailcampaignsummary
    • emailcampaignmutualindicators
  • Added the include_self argument. If set to true, the script will add the current incident to the EmailCampaign list in the context.
  • Added EmailCampaign.firstIncidentDate to the context outputs, representing the date of the earliest incident in the campaign.
PerformActionOnCampaignIncidents#

Added "Unlink & Reopen" to the possible actions of the interactive management section.

New: GetCampaignDuration#

Calculates the duration of the campaign and returns the result as a string in HTML format. (Available from Cortex XSOAR 5.5.0).

PolySwarm Pack v2.0.1 (Partner Supported)#

Integrations#

PolySwarm v2 Community#

Added documentation for the integration.

Prisma Cloud Pack v1.7.1#

Scripts#

PrismaCloudAttribution#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Prisma Cloud Compute Pack v1.0.9#

Integrations#

Palo Alto Networks - Prisma Cloud Compute#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Proofpoint TAP Pack v1.1.2#

Incident Fields#

  • Proofpoint TAP Quarantine Rule
  • Proofpoint TAP ID
  • Proofpoint TAP Threat Info Map
  • Proofpoint TAP Cluster
  • Proofpoint TAP Threat URL
  • Proofpoint TAP Threat Time
  • Proofpoint TAP Phishing Score
  • Proofpoint TAP Threat ID
  • Proofpoint TAP Message Parts
  • Proofpoint TAP Header CC
  • Proofpoint TAP Campaign ID
  • Proofpoint TAP Suspicious URL
  • Proofpoint TAP Reply To Address
  • Proofpoint TAP Classification
  • Proofpoint TAP SMTP Sender
  • Proofpoint TAP Header To
  • Proofpoint TAP Spam Score
  • Proofpoint TAP Xmailer
  • Proofpoint TAP Type
  • Proofpoint TAP Imposter Score
  • Proofpoint TAP Message ID
  • Proofpoint TAP GUID
  • Proofpoint TAP Examined By
  • Proofpoint TAP Subject
  • Proofpoint TAP Malware Score
  • Proofpoint TAP Message Layout
  • Proofpoint TAP User Agent
  • Proofpoint TAP Click Time
  • Proofpoint TAP Threat Status
  • Proofpoint TAP Sender IP
  • Proofpoint TAP Policies
  • Proofpoint TAP Quarantine Folder
  • Proofpoint TAP Click IP
  • Proofpoint TAP Headers Reply To
  • Proofpoint TAP Message Size
  • Proofpoint TAP Headers From
  • Proofpoint TAP Sender Address
  • Proofpoint TAP SMTP Recipient

Scripts#

ProofpointTAPMostAttackedUsers#

Added the ProofpointTAPMostAttackedUsers script to export a list of ProofPointTAP most attacked users to the Cortex XSOAR widget.

ProofpointTapTopClickers#

Added the ProofpointTapTopClickers script to export a list of ProofPointTAP top clickers to the Cortex XSOAR widget.

Layouts Containers#

Added the following layout containers:

  • Proofpoint TAP Message Layout
  • Proofpoint TAP Clicks Layout

Layouts#

Added the following layouts:

  • layout-detailsV2-ProofPointTAP_Message_Layout-ProofPointTAP___Message_Delivered
  • layout-detailsV2-ProofPointTAP_Message_Layout-ProofPointTAP___Message_Blocked
  • layout-detailsV2-ProofPointTAP_Clicks_Layout-ProofPointTAP___Click_Blocked
  • layout-detailsV2-ProofPointTAP_Clicks_Layout-ProofPointTAP___Click_Permitted

Classifiers#

Added the following classifiers:

  • Proofpoint TAP Classifier - Supported version 6.0.0 of Cortex XSOAR.
  • Proofpoint TAP v2 - Supported version 5.5.0 of Cortex XSOAR.

Mappers#

Added the Proofpoint TAP Mapper.

Reports#

Added the Proofpoint TAP Weekly Report.

Dashboards#

Added the Proofpoint TAP dashboard.

Playbooks#

Proofpoint TAP - Event Enrichment#

Added the Proofpoint TAP - Event Enrichment playbook to get information about the forensics of threats and campaigns for an event.

Incident Types#

  • Proofpoint TAP - Click Blocked
  • Proofpoint TAP - Click Permitted
  • Proofpoint TAP - Message Delivered
  • Proofpoint TAP - Message Blocked

Integrations#

Proofpoint TAP v2#
  • Added the following commands:
    • proofpoint-get-events-clicks-blocked
    • proofpoint-get-events-clicks-permitted
    • proofpoint-get-events-messages-blocked
    • proofpoint-get-events-messages-delivered
    • proofpoint-list-issues
    • proofpoint-list-campaigns
    • proofpoint-get-campaign
    • proofpoint-list-most-attacked-users
    • proofpoint-get-top-clickers
    • proofpoint-url-decode
  • Updated the test-module command.

Pwned Pack v1.0.2#

Integrations#

Have I Been Pwned? v2#

Updated the Docker image to: demisto/python:2.7.18.20958.

QualysFIM Pack v1.0.3#

Integrations#

Qualys FIM#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Quantum Security Systems Pack v1.0.1 (Partner Supported)#

Integrations#

QSS#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Quest Kace Pack v1.0.4#

Integrations#

Quest KACE Systems Management Appliance (Beta)#

Updated the Docker image to: demisto/python3:3.9.5.21272.

RST Threat Feed Pack v1.0.2 (Partner Supported)#

Integrations#

RST Cloud - Threat Feed API#

Updated the Docker image to: demisto/python3:3.9.5.20958.

RTIR Pack v1.0.6#

Integrations#

RTIR#

Updated the Docker image to: demisto/python:2.7.18.20958.

Recorded Future Pack v1.1.0#

Integrations#

Recorded Future (Deprecated)#

Deprecated. Use Recorded Future v2 instead.

Recorded Future Feed Pack v1.0.10#

Integrations#

Recorded Future RiskList Feed#

Updated the Docker image to: demisto/python3:3.9.5.20958.

RecordedFuture v2 Pack v1.1.3 (Partner Supported)#

Integrations#

Recorded Future v2#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Red Canary Pack v1.1.1#

Integrations#

Red Canary#

Updated the Docker image to: demisto/python3:3.9.5.20958.

ReplaceMatchGroup Pack v1.0.2#

Scripts#

ReplaceMatchGroup#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Respond Analyst Pack v1.0.1 (Partner Supported)#

Integrations#

Mandiant Automated Defense (Formerly Respond Software)#

Updated the Docker image to: demisto/python3:3.9.5.21272.

RiskIQ Digital Footprint Pack v1.0.7 (Partner Supported)#

Integrations#

RiskIQ Digital Footprint#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Scripts#

RiskIQDigitalFootprintAssetDetailsWidgetScript#

Updated the Docker image to: demisto/python3:3.9.5.20958.

RiskSense Pack v1.0.6 (Partner Supported)#

Integrations#

RiskSense#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Rundeck Pack v1.0.3#

Integrations#

Rundeck#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Playbooks#

Rundeck_test#

Maintenance and stability enhancements.

SafeBreach Breach and Attack Simulation platform Pack v1.1.6 (Partner Supported)#

Integrations#

SafeBreach v2#

Updated the Docker image to: demisto/python3:3.9.5.21272.

SailPoint IdentityIQ Pack v1.0.3 (Partner Supported)#

Incident Types#

  • SailPoint IdentityIQ Alert
  • Maintenance and stability enhancements.

Integrations#

SailPoint IdentityIQ#
  • Corrected the documented integration outputs to match the actual outputs.
  • Add handling for proxy and insecure with headers request.
  • Updated the Docker image to: demisto/python3:3.9.5.21272.

SailPoint IdentityNow Pack v1.0.1 (Partner Supported)#

Integrations#

SailPoint IdentityNow#

Updated the Docker image to: demisto/python3:3.9.5.20070.

Salesforce Pack v1.0.8#

Integrations#

Salesforce IAM#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Securonix Pack v1.1.5#

Integrations#

Securonix#

Updated the Docker image to: demisto/python3:3.9.5.21272.

SendGrid Pack v1.0.1 (Community Contributed)#

Integrations#

SendGrid#

Maintenance and stability enhancements.

SentinelOne Pack v2.0.2#

Integrations#

SentinelOne v2#
  • Added the limit argument to the sentinelone-list-agents command.
  • Updated the Docker image to: demisto/python3:3.9.5.21272.

Sepio Pack v1.0.2 (Partner Supported)#

Integrations#

Sepio#

Updated the Docker image to: demisto/python3:3.9.5.20070.

Server Message Block (SMB) Pack v2.0.2#

Integrations#

Server Message Block (SMB) v2#
  • Fixed an issue where the negotiation in the authentication flow using the Domain Controller parameter failed.
  • Updated the Docker image to: demisto/smbprotocol:1.0.0.19032.

ServiceNow Pack v2.1.24#

Integrations#

ServiceNow CMDB#

Updated the Docker image to: demisto/python3:3.9.5.21272.

ServiceNow IAM#

Updated the Docker image to: demisto/python3:3.9.5.21272.

ServiceNow v2#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Shift Management Pack v1.2.3#

Scripts#

GetNumberOfUsersOnCall#

Updated the Docker image to: demisto/python3:3.9.5.20958.

GetOnCallHoursPerUser#

Updated the Docker image to: demisto/python3:3.9.5.20958.

GetRolesPerShift#

Updated the Docker image to: demisto/python3:3.9.5.20958.

GetShiftsPerUser#

Updated the Docker image to: demisto/python3:3.9.5.20958.

GetUsersOOO#

Updated the Docker image to: demisto/python3:3.9.5.20958.

GetUsersOnCall#

Updated the Docker image to: demisto/python3:3.9.5.20958.

TimeToNextShift#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Signal Sciences WAF Pack v1.0.2#

Integrations#

Signal Sciences WAF#

Added the following integration parameters:

  • proxy
  • Trust any certificate

Sixgill Darkfeed - Annual Subscription Pack v2.0.1 (Partner Supported)#

Scripts#

SixgillSearchIndicators#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Slack Pack v1.3.21#

Integrations#

Slack IAM#
  • Changed the Access Token parameter type to encrypted.
  • Updated the Docker image to: demisto/python3:3.9.5.20958.

Smokescreen IllusionBLACK Pack v1.0.8 (Partner Supported)#

Integrations#

Smokescreen IllusionBLACK#

Updated the Docker image to: demisto/python3:3.9.5.21272.

SolarWinds Pack v1.0.1#

Integrations#

SolarWinds#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Sophos Central Pack v1.0.4#

Integrations#

Sophos Central#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Spamhaus Feed Pack v1.1.3#

Integrations#

Spamhaus Feed#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Splunk Pack v2.1.3#

Scripts#

SplunkPySearch#

Documentation and metadata improvements.

Sumo Logic Cloud SIEM Pack v1.0.1 (Partner Supported)#

Integrations#

Sumo Logic Cloud SIEM#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Symantec Managed Security Services Pack v1.0.3#

Integrations#

Symantec Managed Security Services#

Fixed an issue where the command symantec-mss-get-incident did not work as expected.

Symantec Management Center Pack v1.0.3#

Integrations#

Symantec Management Center#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Syslog Sender Pack v1.0.2#

Integrations#

Syslog Sender#

Updated the Docker image to: demisto/python3:3.9.5.20070.

TAXII Feed Pack v1.0.9#

Integrations#

TAXII 2 Feed#
  • Deprecated the reset_fetch_command command. From Cortex XSOAR version 6.2, use the Re-fetch indicators button in the feed instance settings instead.
  • Updated the Docker image to: demisto/taxii2:1.0.0.19258.

Tanium Threat Response Pack v1.0.4#

Integrations#

Tanium Threat Response#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Thinkst Canary Pack v1.0.4#

Integrations#

Thinkst Canary#

Updated the Docker image to: demisto/python:2.7.18.20958.

Threat Crowd Pack v2.0.4#

Integrations#

Threat Crowd v2#
  • Fixed an issue where a response with no results returned an error in the ip command.
  • Fixed an issue where the ip command failed when 'references' value is missing from the server response.
  • Updated the Docker image to: demisto/python3:3.9.5.21272.

Threat Intelligence Management Pack v1.0.3#

Scripts#

ThreatIntelManagementGetIncidentsPerFeed#

Updated the Docker image to: demisto/python3:3.9.5.20958.

ThreatExchange Pack v2.0.1#

Integrations#

ThreatExchange v2#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Tidy Pack v1.0.5#

Integrations#

Tidy#

Maintenance and stability enhancements.

Layouts#

  • Tidy
  • Maintenance and stability enhancements.

Playbooks#

Content developer setup#
  • Maintenance and stability enhancements.
  • Updated the Docker image to: demisto/tidy:1.0.0.21489.

Trello Pack v1.0.2 (Community Contributed)#

Integrations#

Trello#

Updated the Docker image to: demisto/python3:3.9.5.20958.

TrendMicro Cloud App Security Pack v1.0.2#

Integrations#

TrendMicro Cloud App Security#

Updated the Docker image to: demisto/python3:3.9.5.21272.

Tripwire Pack v1.0.2#

Integrations#

Tripwire#

Updated the Docker image to: demisto/python3:3.9.5.20958.

TrustwaveSEG Pack v1.0.1#

Integrations#

Trustwave Secure Email Gateway#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Urlscan.io Pack v1.1.8#

Integrations#

urlscan.io#

Updated the Docker image to: demisto/python:2.7.18.20958.

VMRay Pack v1.0.3#

Integrations#

VMRay#

Updated the Docker image to: demisto/python:2.7.18.20958.

Vectra Pack v1.0.1#

Integrations#

Vectra v2#

Updated the Docker image to: demisto/python3:3.9.5.20958.

WootCloud Pack v1.0.4 (Partner Supported)#

Integrations#

WootCloud#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Workday Pack v1.1.4#

Integrations#

Workday#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Workday IAM#

Updated the Docker image to: demisto/python3:3.9.5.20958.

X509Certificate Pack v1.0.5#

Scripts#

CertificateReputation#

Updated the Docker image to: demisto/python3:3.9.5.20958.

XM Cyber Pack v1.0.8 (Partner Supported)#

Integrations#

XM Cyber#
  • Fixed an issue where the following commands used the wrong API:
    • ip
    • xmcyber-hostname
  • Updated the Docker image to: demisto/python3:3.9.5.21272.

XSOAR Mirroring Pack v2.0.2#

Integrations#

XSOAR Mirroring#

Updated the Docker image to: demisto/python3:3.9.5.20958.

ZeroFox Pack v1.0.1#

Integrations#

ZeroFox#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Zimperium Pack v1.0.7#

Integrations#

Zimperium#

Updated the Docker image to: demisto/python3:3.9.5.20958.

Zscaler Pack v1.1.6#

Integrations#

Zscaler#

Updated the Docker image to: demisto/python:2.7.18.20958.

iDefense Pack v3.0.6#

Integrations#

iDefense Feed#

Internal infrastructure improvements.

Assets#

Edit this page
Report an Issue