Skip to main content

Cortex XSOAR Content Release Notes for version 21.8.2 (7337770)

Published on 31 August 2021#

Breaking Changes#

The following pack includes breaking changes:

New: Ansible Alibaba Cloud Pack v1.0.0#

Integrations#

Ansible Alibaba Cloud#

Manage Alibaba Cloud Elastic Compute instances.


New: Ansible Azure Pack v1.0.0#

Integrations#

Ansible Azure#

Manage Azure resources.


New: Ansible Cisco IOS Pack v1.0.0#

Integrations#

Ansible Cisco IOS#

Cisco IOS platform management over SSH.


New: Ansible Cisco NXOS Pack v1.0.0#

Integrations#

Ansible Cisco NXOS#

Cisco NX-OS platform management over SSH.


New: Ansible Hetzner Cloud Pack v1.0.0#

Integrations#

Ansible HCloud#

Manage your Hetzner Cloud environment.


New: Ansible Kubernetes Pack v1.0.0#

Integrations#

Ansible Kubernetes#

Manage Kubernetes.


New: Ansible Linux Pack v1.0.0#

Integrations#

Ansible ACME#

Control Automatic Certificate Management Environment on Linux hosts.

Ansible DNS#

Manage DNS records using NSUpdate.

Linux#

Agentless Linux host management over SSH.

Ansible OpenSSL#

Control OpenSSL on remote Linux hosts.


New: Ansible Microsoft Windows Pack v1.0.0#

Integrations#

Ansible Microsoft Windows#

Agentless Windows host management over WinRM.

Playbooks#

Wait Until Windows Host Online v2#

Pauses execution until the Windows host responds to a ping over WinRM.

Windows Application Deployment v2#

Helps an operator install Windows applications to workstations using the Chocolatey package manager.


New: Ansible VMware Pack v1.0.0#

Integrations#

Ansible VMware#

Manage VMware vSphere server, guests, and ESXi hosts.


New: ConvertTimezoneFromUTC Pack v1.0.0 (Community Contributed)#

Scripts#

ConvertTimezoneFromUTC#

Takes UTC and converts it to the specified timezone. Format must match the UTC date's format and output will be the same format. Can use in conjunction with ConvertDateToString.


New: CrowdStrike OpenAPI Pack v1.0.0#

Integrations#

CrowdStrike OpenAPI (Beta)#

Use the CrowdStrike OpenAPI integration to interact with CrowdStrike APIs that do not have dedicated integrations in Cortex XSOAR, for example, CrowdStrike FalconX, etc.


New: Logsign SIEM Pack v1.0.0 (Partner Supported)#

Classifiers#

LogsignSIEM_Classifier#
LogsignSIEM Mapper#

Integrations#

LogsignSiem#

Logsign SIEM provides the ability to collect and store unlimited data, investigate and detect threats, and respond automatically.


New: SecurityTrails Pack v1.0.0 (Community Contributed)#

Integrations#

SecurityTrails#

This integration provides API access to the SecurityTrails platform.


New: SplunkCIMFields Pack v1.0.0 (Community Contributed)#

Scripts#

SplunkCIMFields#

Convert Splunk CIM fields dynamically into field values.


New: Threat Intel Pack v1.0.0#

Dashboards#

Threat Intel Dashboard#

Generic Definitions#

Threat Intel Report#

Generic Modules#

Threat Intel#

Layouts#

Threat Report Layout (Available from Cortex XSOAR 6.5.0)


New: ThycoticDSV Pack v1.0.0 (Partner Supported)#

Integrations#

ThycoticDSV#

Manage credentials for applications, databases, CI/CD tools, and services without causing friction in the development process.


ANY.RUN Pack v1.0.5#

Integrations#

ANY.RUN#

Updated the Docker image to: demisto/python3:3.9.6.22912.


ARIAPacketIntelligence Pack v2.0.5 (Partner Supported)#

Integrations#

ARIA Packet Intelligence#

Updated the Docker image to: demisto/python3:3.9.6.22912.


AWS Feed Pack v1.1.7#

Integrations#

AWS Feed#

Fixed an issue where fetching indicators in Cortex XSOAR with a version below 6.5.0 would fail.


Abnormal Security Pack v1.1.0 (Partner Supported)#

Integrations#

Abnormal Security#
  • Added the following abuse mailbox information commands:
    • abnormal-security-list-abuse-mailbox-campaigns - Lists abuse mailbox campaigns.
    • abnormal-security-get-abuse-mailbox-campaign - Gets abuse mailbox campaign details.
  • Added the abnormal-security-get-case-analysis-and-timeline case analysis command - Gets case analysis and timeline.
  • Added the following genome/employee information commands:
    • abnormal-security-get-employee-identity-analysis - Gets identity analysis of an employee.
    • abnormal-security-get-employee-information - Gets employee information.
    • abnormal-security-download-threat-log-csv - Retrieves threat log in csv format.
  • Enable subtenancy input when accessing threats, cases and abuse mailbox endpoints.
  • Add the subtenant parameter for users who have subtenancy enabled.
  • For the abnormal-security-get-latest-threat-intel-feed threat intel command, the output is saved to a file on Cortex XSOAR and is ready to download.
  • Updated the Docker image to: demisto/python3:3.9.6.22912.

Acalvio ShadowPlex Pack v1.0.3 (Partner Supported)#

Integrations#

Acalvio ShadowPlex#

Updated the Docker image to: demisto/python3:3.9.6.22912.


Accessdata Pack v1.0.4 (Partner Supported)#

Integrations#

Accessdata#

Updated the Docker image to: demisto/python3:3.9.6.22912.


Agari Phishing Defense Pack v1.0.4 (Partner Supported)#

Integrations#

Agari Phishing Defense#

Updated the Docker image to: demisto/python3:3.9.6.22912.


Alexa Rank Indicator Pack v2.0.0#

Integrations#

New: Alexa Rank Indicator v2#
  • Uses the Alexa API rank.
  • Domains which are not in the Alexa database, are considered "Unknown" instead of "Suspicious".
  • If the domain doesn't exist, an error occurs.
  • Changed the following default values:
    • 1000 for Top Domain Threshold.
    • unspecified for Suspicious Domain Threshold.

AlienVault USM Anywhere Pack v1.0.7#

Integrations#

AlienVault USM Anywhere#
  • Fixed an issue where the integration failed to parse dates from the alarm data.
  • Fixed an issue where the integration failed to parse the alarm occurred time.
  • Updated the Docker image to: demisto/python3:3.9.6.22912.

AlphaVantage Pack v1.0.3 (Community Contributed)#

Integrations#

AlphaVantage#

Updated the Docker image to: demisto/python3:3.9.6.22912.


Anomali ThreatStream Pack v1.1.2#

Integrations#

Anomali ThreatStream v2#
  • Added support for the Source Reliability integration parameter.
  • Updated the Docker image to: demisto/emoji:1.0.0.23151

Ansible Powered Integrations Pack v2.0.0 (Community Contributed)#

Integrations#

Ansible Cisco IOS (Deprecated)#

Deprecated Cisco IOS Platform Management over SSH. Use Ansible Cisco IOS (from the Ansible Cisco IOS pack) instead.

Ansible Azure Compute (Deprecated)#

Deprecated Manage Azure Compute Resources. Use Ansible Azure (from the Ansible Azure pack) instead.

Ansible VMware (Deprecated)#

Deprecated Manage VMware vSphere Server, Guests, and ESXi Hosts. Use Ansible VMware (from the Ansible VMware pack) instead.

Ansible DNS (Deprecated)#

Deprecated Manage DNS Records using NSUpdate. Use Ansible DNS (in the Ansible Linux pack) instead.

Ansible Microsoft Windows (Deprecated)#

Deprecated Agentless Windows Host Management over WinRM. Use Ansible Microsoft Windows (from the Ansible Microsoft Windows pack) instead.

Ansible Kubernetes (Deprecated)#

Deprecated Manage Kubernetes. Use Ansible Kubernetes (from the Ansible Kubernetes pack) instead.

Ansible Azure Networking (Deprecated)#

Deprecated Manage Azure Networking Resources. Use Ansible Azure (from the Ansible Azure pack) instead.

Ansible Cisco NXOS (Deprecated)#

Deprecated Cisco NXOS Platform Management over SSH. Use Ansible Cisco NXOS (from the Ansible Cisco NXOS pack) instead.

Ansible HCloud (Deprecated)#

Deprecated Manage your Hetzner Cloud Environment. Use the Ansible HCloud (from the Ansible Hetzner Cloud Pack) instead.

Ansible Alibaba Cloud (Deprecated)#

Deprecated Manage Alibaba Cloud Elastic Compute Instances. Use Ansible Alibaba Cloud (from the Ansible Alibaba Cloud Pack) instead.

Ansible Linux (Deprecated)#

Deprecated Agentlesss Linux Host Management over SSH. Use Ansible Linux (in the Ansible Linux pack) instead.

Ansible OpenSSL (Deprecated)#

Deprecated Control OpenSSL on Remote Linux Hosts. Use Ansible OpenSSL (in the Ansible Linux pack) instead.

Ansible ACME (Deprecated)#

Deprecated Automatic Certificate Management Environment of Linux Hosts. Use Ansible ACME (in the Ansible Linux pack) instead.

Playbooks#

Wait Until Windows Host Online#

Deprecated. Use the Wait Until Windows Host Online playbook from the Ansible Microsoft Windows pack.

Windows Application Deployment#

Deprecated. Use the Windows Application Deployment playbook from the Ansible Microsoft Windows pack.


ApiModules Pack v2.2.3#

Scripts#

JSONFeedApiModule#

Fixed an issue where fetching indicators in Cortex XSOAR with a version below 6.5.0 would fail.

HTTPFeedApiModule#

Fixed an issue where fetching indicators in Cortex XSOAR with a version below 6.5.0 would fail.


ArcannaAI Pack v1.0.1 (Partner Supported)#

Integrations#

Arcanna.AI#

Updated the Docker image to: demisto/python3:3.9.6.22912.


Arduino Pack v1.0.2 (Community Contributed)#

Integrations#

Arduino#

Updated the Docker image to: demisto/python3:3.9.6.22912.


Armis Pack v1.0.3#

Integrations#

Armis#

Updated the Docker image to: demisto/python3:3.9.6.22912.


AttackIQ Platform Pack v1.0.5#

Integrations#

AttackIQ Platform#

Updated the Docker image to: demisto/python3:3.9.6.22912.


Azure SQL Management (Beta) Pack v1.0.6#

Integrations#

Azure SQL Management (Beta)#

Updated the Docker image to: demisto/crypto:1.0.0.23151.


Barracuda Pack v1.0.2 (Community Contributed)#

Integrations#

Barracuda Reputation Block List (BRBL)#

Updated the Docker image to: demisto/python3:3.9.6.22912.


Base Pack v1.13.26#

Scripts#

CommonServerPython#
  • Added the CustomIndicator indicator.
  • Changed the CustomIndicator Value field name to value.
  • Added to_readable() to the DBotScore object. Returns the text representation of the score.
  • Fixed an issue where there was an attempt to close a session that was not initialized.
  • Maintenance and stability enhancements.
CommonServer#

Fixed the months mapping of October and December in the month_names_short object.

StixParser#
  • Fixed an issue where the automation script failed to parse SSDEEP values.
  • Updated the Docker image to: demisto/stix:1.0.0.23135.

Bastille Networks Pack v1.0.5 (Partner Supported)#

Integrations#

Bastille Networks#

Updated the Docker image to: demisto/python3:3.9.6.22912.


BitDam Pack v1.0.3 (Community Contributed)#

Integrations#

BitDam#

Updated the Docker image to: demisto/python3:3.9.6.22912.


BitSight Pack v1.0.6 (Partner Supported)#

Integrations#

BitSight for Security Performance Management#

Updated the Docker image to: demisto/python3:3.9.6.22912.


BlockList DE Feed Pack v1.1.6#

Integrations#

Blocklist_de Feed#

Fixed an issue where fetching indicators in Cortex XSOAR with a version below 6.5.0 would fail.


Blueliv ThreatCompass Pack v1.0.4 (Community Contributed)#

Integrations#

Blueliv ThreatCompass#

Updated the Docker image to: demisto/python3:3.9.6.22912.


Blueliv ThreatContext Pack v1.0.3 (Community Contributed)#

Integrations#

Blueliv ThreatContext#

Updated the Docker image to: demisto/python3:3.9.6.22912.


Bonusly Pack v1.0.4 (Community Contributed)#

Integrations#

Bonusly#

Updated the Docker image to: demisto/python3:3.9.6.22912.


BruteForce Feed Pack v1.1.6#

Integrations#

BruteForceBlocker Feed#

Fixed an issue where fetching indicators in Cortex XSOAR with a version below 6.5.0 would fail.


Check Point Firewall Pack v2.1.0#

Integrations#

CheckPoint Firewall v2#

Fixed issues when logging in and using the integration with proxy connection.

Playbooks#

Checkpoint - Block IP - Custom Block Rule#

Fixed an issue where the playbook would run only with a Checkpoint Firewall V1 instance.

Checkpoint - Publish&Install configuration#

Fixed an issue where the playbook would run only with a Checkpoint Firewall V1 instance.

Checkpoint - Block URL#

Fixed an issue where the playbook would run only with a Checkpoint Firewall V1 instance.


Cisco Email Security Appliance (IronPort) Pack v1.0.1#

Integrations#

Cisco Email Security Appliance (IronPort)#

Documentation and metadata improvements.


Cisco Umbrella Investigate Pack v1.0.6#

Integrations#

Cisco Umbrella Investigate#
  • Fixed an issue where the domain command failed when parsing a domain without email results.
  • Added support for CSV list of domains in the domain command.
  • Updated the Docker image to: demisto/python:2.7.18.22912.

Cloudflare Feed Pack v1.1.6#

Integrations#

Cloudflare Feed#

Fixed an issue where fetching indicators in Cortex XSOAR with a version below 6.5.0 would fail.


Common Playbooks Pack v2.0.3#

Playbooks#

Email Address Enrichment - Generic v2.1#

Fixed an issue where inputs of the wrong type were given to the Check email addresses for domain-squatting task.

Calculate Severity - Generic v2#

Added calculation for Anti-Spam score values inside Microsoft headers (PCL, BCL and SCL).

Get endpoint details - Generic#

Fixed the "Is the endpoint IP provided?" conditional task where the task had no path if the IP address was not provided.


Common Scripts Pack v1.4.27#

Scripts#

New: ExtractAttackPattern#

Fixed an issue where the script extracted invalid Attack Pattern indicators.

WhereFieldEquals#

Improved handling where the automation failed to run on an array that contains strings given in the value argument.

SetGridField#
  • Breaking Change: Added support for columns with underscores (_). Previously underscores in columns were removed automatically by the automation.
  • Added back support for column names with more than 255 characters. (Support was removed in v1.4.24).
ParseEmailFiles#
  • Fixed an issue where multiple MIME encoded words were not decoded.
  • Added the default_encoding argument to use while message parsing where encoding fails.
  • Added the forced_encoding argument to force encoding while message parsing.
New: StringToArray#

Converts a string to an array.


Common Widgets Pack v1.1.2#

Scripts#

New: RSSWidget#

Script Widget - RSS Feed. (Available from Cortex XSOAR 5.5.0).


Content Management (Alpha) Pack v1.0.3#

Scripts#

MarketplacePackInstaller#

Fixed an issue where the script failed due to incorrect response parsing.


CrowdStrike Falcon Pack v1.2.20#

Classifiers#

CrowdStrike Falcon Incident Classifier#

Fixed an issue where the following incident types were not classified correctly.

  • CrowdStrike Falcon Detection
  • CrowdStrike Falcon Incident

Integrations#

CrowdStrike Falcon#

Fixed an issue in the fetch-incidents command where the incident_type field was not in raw incident data.


Crowdstrike Falcon Intel Feed Pack v2.0.4#

Integrations#

CrowdStrike Indicator Feed#

Fixed an issue where the fetch-indicators command failed when the First fetch time integration parameter was not entered.


Cybersixgill-DVE Pack v1.0.1 (Partner Supported)#

Integrations#

Cybersixgill DVE Feed Threat Intelligence v2#
  • Fixed an issue where the tags integration parameters were not handled correctly.
  • Updated the Docker image to: demisto/sixgill:1.0.0.20925.

DShield Feed Pack v1.1.6#

Integrations#

DShield Feed#

Fixed an issue where fetching indicators in Cortex XSOAR with a version below 6.5.0 would fail.


Darktrace Pack v1.0.5 (Partner Supported)#

Integrations#

Darktrace#
  • Added the following commands:
    • darktrace-get-breach-details
    • darktrace-get-model
    • darktrace-get-component
  • Updated the Docker image to: demisto/python3:3.9.5.21272.

Developer Tools Pack v1.2.2#

Scripts#

New: VerifyIntegrationHealth#

Checks for existing errors in a given integration. (Available from Cortex XSOAR 6.0.0).

New: VerifyObjectFieldsList#

Verifies that a given object includes all the given fields. (Available from Cortex XSOAR 6.0.0).

New: GetInstanceName#

Given an integration name, returns the instance name. (Available from Cortex XSOAR 6.0.0).

New: VerifyEnoughIncidents#

Checks whether a given query returns sufficient incidents. (Available from Cortex XSOAR 6.0.0).


EWS Pack v1.9.2#

Integrations#

O365 - Security And Compliance - Content Search#

Fixed an issue where the o365-sc-list-search command failed when no searches were found.

Mappers#

EWS - Incoming Mapper#

Mapping missing Phishing fields.


Expanse v2 Pack v1.8.2#

Integrations#

Expanse Expander Feed#

Updated the Docker image to: demisto/python3:3.9.6.22912.

Scripts#

ExpanseGenerateIssueMapWidgetScript#

Updated the Docker image to: demisto/chromium:1.0.0.23161.


Fastly Feed Pack v1.1.6#

Integrations#

Fastly Feed#

Fixed an issue where fetching indicators in Cortex XSOAR with a version below 6.5.0 would fail.


FeodoTracker Feed Pack v1.1.7#

Integrations#

Feodo Tracker IP Blocklist Feed#

Fixed an issue where fetching indicators in Cortex XSOAR with a version below 6.5.0 would fail.


Gmail Pack v1.1.7#

Mappers#

Gmail - Incoming Mapper#

Added Email Headers field mapping.


GreyNoise Pack v1.0.4 (Partner Supported)#

Integrations#

GreyNoise#

Updated the Docker image to: demisto/greynoise:1.0.0.23290.

GreyNoise Community#

Updated the Docker image to: demisto/greynoise:1.0.0.23290.


Group-IB Threat Intelligence & Attribution Pack v1.1.2 (Partner Supported)#

Integrations#

Group-IB Threat Intelligence & Attribution Feed#
  • Fixed an issue where the tags and the TLP integration parameters were not handled correctly.
  • Added the following indicator fields:
    • first seen
    • last seen

IBM QRadar Pack v2.0.22#

Integrations#

IBM QRadar v3#
  • Added the following commands:
    • qradar-ips-source-get
    • qradar-ips-local-destination-get.
  • Added the source_ip array argument to the qradar-ips-source-get command.
  • Added the local_destination_ip array argument to the qradar-ips-local-destination-get command.

Integrations & Incidents Health Check Pack v1.2.4#

Scripts#

GetFailedTasks#
  • Improved the error message returned in case of failure to retrieve the incident tasks.
  • Updated the Docker image to: demisto/python3:3.9.6.22912.

Intel471 Feed Pack v2.0.3 (Partner Supported)#

Integrations#

Intel471 Actors Feed#

Fixed an issue where fetching indicators in Cortex XSOAR with a version below 6.5.0 would fail.

Intel471 Malware Indicator Feed#

Fixed an issue where fetching indicators in Cortex XSOAR with a version below 6.5.0 would fail.


JSON Feed Pack v1.1.6#

Integrations#

JSON Feed#

Fixed an issue where fetching indicators in Cortex XSOAR with a version below 6.5.0 would fail.


Kaspersky Security Center Pack v1.0.3#

Integrations#

Kaspersky Security Center (Beta)#

Updated the Docker image to: demisto/python3:3.9.6.22912.


MITRE ATT&CK v2 Pack v1.0.5#

Integrations#

MITRE ATT&CK Feed v2#
  • Downgraded the Docker image to: demisto/taxii2:1.0.0.21842 to fix an issue where the following commands did not work properly:
    • attack-pattern
    • mitre-get-indicator-name
  • Documentation and metadata improvements.

Machine Learning Pack v1.3.3#

Scripts#

HashIncidentsFields#
  • Internal code improvements.
  • Updated the Docker image to: demisto/python3:3.9.6.22912.

MalwareDomainList Feed Pack v1.1.5#

Integrations#

Malware Domain List Active IPs Feed (Deprecated)#
  • Deprecated. This feed is no longer supported.
  • Fixed an issue where fetching indicators in Cortex XSOAR with a version below 6.5.0 would fail.

Microsoft 365 Defender Pack v1.1.2#

Scripts#

MS365DefenderUserListToTable#

Updated the Docker image to: demisto/python3:3.9.6.22912.

MS365DefenderCountIncidentCategories#

Updated the Docker image to: demisto/python3:3.9.6.22912.


Microsoft Defender for Endpoint Pack v1.3.0#

Integrations#

Microsoft Defender for Endpoint#
  • Added the following commands that use the new and stable security center API for indicators:
    • microsoft-atp-sc-indicator-list
    • microsoft-atp-sc-indicator-get-by-id
    • microsoft-atp-sc-indicator-create
    • microsoft-atp-sc-indicator-update
    • microsoft-atp-sc-indicator-deleteIn order to use those new commands:
    • When using oproxy - need to re-authenticate.
    • When using self deployed - add the relevant permissions and re-authenticate.
    • Set the following permission: Ti.ReadWrite (Read and write IOCs belonging to the app) - Application
  • Deprecated the following commands as they used a beta endpoint.
    • microsoft-atp-indicator-delete command. Use microsoft-atp-sc-indicator-delete instead.

    • microsoft-atp-indicator-update command. Use microsoft-atp-sc-indicator-update instead.

    • microsoft-atp-indicator-create-network command. Use microsoft-atp-sc-indicator-create instead.

      API limitation - CIDR notation for IPs is not supported as part of the new commands.

    • microsoft-atp-indicator-create-file command. Use microsoft-atp-sc-indicator-create instead.

    • microsoft-atp-indicator-list command. Use microsoft-atp-sc-indicator-list instead.

    • microsoft-atp-indicator-get-by-id command. Use microsoft-atp-sc-indicator-get-by-id instead.

  • Updated the Docker image to: demisto/crypto:1.0.0.19032.

Microsoft Graph Mail Pack v1.0.23#

Mappers#

New: Microsoft Graph Mail Mapper#

Incoming mapper for phishing emails.


Microsoft Policy And Compliance Pack v1.0.1#

Playbooks#

Azure Configuration Analysis#

Deprecated. Use the Office 365 and Azure Configuration Analysis playbook instead.

Azure Hunting playbook#

Deprecated. Use the Office 365 and Azure Hunting playbook instead.


Microsoft Teams Pack v1.1.16#

Integrations#

Microsoft Teams#

Added the parameter auto_notifications in order to configure automatic notifications to the configured notifications channel.


Office 365 and Azure (Audit Log) Pack v1.0.2#

Playbooks#

New: Office 365 and Azure Hunting#

This playbook enables you to collect and investigate suspicious security events from Azure AD environment. (Available from Cortex XSOAR 5.5.0).

New: Office 365 and Azure Configuration Analysis#

This playbook helps you collect, review, and find misconfigurations with the Azure environment. (Available from Cortex XSOAR 5.5.0).


PAN-OS Pack v1.6.27#

Integrations#

Palo Alto Networks PAN-OS#
  • Added the following arguments to the panorama-create-rule and panorama-create-custom-block-rule commands:
    • where
    • dst
  • Added the timeout argument to the panorama-register-ip-tag command, which is applicable only for PAN-OS versions 9.x or higher.
  • Fixed an issue where some of the arguments of the panorama-create-url-filter command were not mishandled.

Palo Alto Networks BPA Pack v1.2.9#

Integrations#

Palo Alto Networks BPA#

Updated the Docker image to: demisto/python3:3.9.6.22912.


Palo Alto Networks Cortex XDR - Investigation and Response Pack v3.0.26#

Integrations#

Cortex XDR - IOC#
  • Fixed an issue where the following commands would encounter authentication errors when customers were using Auto sync:
    • xdr-iocs-sync
    • fetch-incidents
  • Updated the Docker image to: demisto/python3:3.9.6.22912.
Palo Alto Networks Cortex XDR - Investigation and Response#
  • Fixed an issue where XSOAR mirror out would change the XDR status for closed incidents.
  • Improved error handling for the following commands when reaching an uninstalled endpoint:
    • xdr-isolate-endpoint
    • xdr-unisolate-endpoint
  • Fixed an issue where the xdr-blacklist-files command returned an error if the given hashes have already been added to the allow or block list.

Palo Alto Networks WildFire Pack v1.4.0#

Integrations#

Palo Alto Networks WildFire v2#

Added the polling argument to the following commands:

  • wildfire-upload
  • wildfire-upload-url
  • wildfire-upload-file-remote
  • wildfire-upload-file-url

When polling is set to true, the command will try to return the results. The polling argument enables users to search WildFire using a single command, that doesn't require GenericPolling Playbook.


Phishing Pack v2.4.1#

Incident Fields#

  • Phishing SCL Score
  • Phishing BCL Score
  • Phishing PCL Score

Layouts#

Phishing Incident - Microsoft Anti-Spam Headers section was added to the investigation tab.

Playbooks#

New: Process Microsoft's Anti-Spam Headers#

This playbook stores the SCL, BCL and PCL scores (if they exist) to the associated incident fields (Phishing SCL Score, Phishing PCL Score, and Phishing BCL Score). It also does the following:

  • Sets the email classification to "spam" if the SCL score is equal to or higher than 5.
  • Sets the incident severity according to the playbook inputs (default is: PCL/BCL - Medium, SCL - Low). The severity of the incident is set only when one (or more) of the following occurs:
    • PCL (Phishing Confidence Level) score is between and including 4-8: The message content is likely to be phishing.
    • BCL (Bulk complaint level) score is between and including 4-7: The message is from a bulk sender that generates a mixed number of complaints. Between and including 8-9: The message is from a bulk sender that generates a high number of complaints.
    • SCL (Spam confidence level) score is between and including 5-6: Spam filtering marked the message as Spam. 9: Spam filtering marked the message as High confidence spam.

For further information on SCL/BCL/PCL, see the Microsoft documentation:

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/spam-confidence-levels?view=o365-worldwide

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/bulk-complaint-level-values?view=o365-worldwide

https://docs.microsoft.com/en-us/exchange/antispam-and-antimalware/antispam-protection/antispam-stamps?view=exchserver-2019

Phishing Investigation - Generic v2#
  • Added the CheckMicrosoftHeaders playbook input.
  • Added the Process Microsoft's Anti-Spam Headers sub-playbook to the Investigation section.
  • Replaced Email/from incident labels with ReporterAddress.
  • Fixed the DT scripts inside several tasks. These scripts check whether to address users through their display name or their email address.

Plain Text Feed Pack v1.1.4#

Integrations#

Plain Text Feed#

Fixed an issue where fetching indicators in Cortex XSOAR with a version below 6.5.0 would fail.


Powershell Remoting Pack v1.0.3#

Integrations#

PowerShell Remoting (Beta)#

Added descriptions and examples for integration settings.


Prisma Cloud Pack v1.8.2#

Integrations#

Prisma Cloud (RedLock)#

Improved logging in case of an error.


Proofpoint Threat Response (Beta) Pack v1.0.6#

Integrations#

Proofpoint Threat Response (Beta)#
  • Fixed an issue where the expand_events argument of the proofpoint-tr-get-incident command did not affect the response.
  • Enhanced the incident commands outputs.

RSA Archer Pack v1.1.21#

Integrations#

RSA Archer v2#

Fixed an issue of hard-coded API endpoints in the code by adding a new API Endpoint parameter to the integration.

Scripts#

ArcherCreateIncidentExample#

Updated the Docker image to: demisto/python3:3.9.6.22912.

ArcherCreateSecurityIncident#

Updated the Docker image to: demisto/python:2.7.18.22912.

ArcherUpdateSecurityIncident#

Updated the Docker image to: demisto/python:2.7.18.22912.

RSAArcherManualFetch#

Updated the Docker image to: demisto/python:2.7.18.22912.


Rapid Breach Response Pack v1.6.18#

Playbooks#

SolarStorm and SUNBURST Hunting and Response Playbook#

Updated Office 365 and Azure sub-playbooks.


Rasterize Pack v1.0.11#

Integrations#

Rasterize#
  • Updated the user agent Chrome version to: 91.0.4472.164.
  • Added the file_name argument in all the commands to have support for modifying the saved file name.

RecordedFuture v2 Pack v1.1.4 (Partner Supported)#

Integrations#

Recorded Future v2#
  • Added the recordedfuture-links command that brings a new recorded future dataset.
  • Related entities section in the War Room output is now in table format.
  • Updated the Docker image to: demisto/python3:3.9.6.22912.

Playbooks#

Recorded Future URL Reputation#

Fixed the recordedfutureriskrules field name that is used by SetIndicator task.

Recorded Future CVE Reputation#

Fixed the recordedfutureriskrules field name that is used by SetIndicator task..

Recorded Future IP Reputation#

Fixed the recordedfutureriskrules field name that is used by SetIndicator task.

Recorded Future Threat Assessment#

Fixed the recordedfutureriskrules field name that is used by SetIndicator task.

Recorded Future URL Intelligence#

Fixed the recordedfutureriskrules field name that is used by SetIndicator task.

Recorded Future Domain Intelligence#

Fixed the recordedfutureriskrules field name that is used by SetIndicator task.

Recorded Future Domain Reputation#

Fixed the recordedfutureriskrules field name that is used by SetIndicator task.

Recorded Future File Intelligence#

Fixed the recordedfutureriskrules field name that is used by SetIndicator task.

Recorded Future IP Intelligence#

Fixed the recordedfutureriskrules field name that is used by SetIndicator task.

Recorded Future File Reputation#

Fixed the recordedfutureriskrules field name that is used by SetIndicator task.

Recorded Future CVE Intelligence#

Fixed the recordedfutureriskrules field name that is used by SetIndicator task.


SendGrid Pack v1.0.2 (Community Contributed)#

Integrations#

SendGrid#
  • Added sg-get-email-activity-list command which will retrieve the email activity list associated with the messages matching the user query.
  • Updated the Docker image to: demisto/sendgrid:1.0.0.23423.

Shodan Pack v1.0.4#

Integrations#

Shodan v2#

Updated the Docker image to: demisto/python3:3.9.6.22912.


Sixgill Darkfeed - Annual Subscription Pack v2.0.4 (Partner Supported)#

Integrations#

Sixgill DarkFeed Threat Intelligence#

Updated the Docker image to: demisto/sixgill:1.0.0.23434.

Sixgill DarkFeed Enrichment#

Updated the Docker image to: demisto/sixgill:1.0.0.23434.


Slack Pack v2.1.4#

Integrations#

Slack v3 (beta)#
  • Added the following commands:
    • *slack-pin-message
    • slack-edit-message
  • Fixed an issue where SocketMode would fail to connect.
  • Fixed an issue where the SSL Verification parameter was not applied to the socket connection.
  • Fixed an issue where the SlackLogger would not write verbose logs.

Spamhaus Feed Pack v1.1.6#

Integrations#

Spamhaus Feed#

Fixed an issue where fetching indicators in Cortex XSOAR with a version below 6.5.0 would fail.


Splunk Pack v2.1.11#

Integrations#

SplunkPy#
  • Removed the following integration parameters:
    • Earliest time to fetch
    • Latest time to fetch
  • Fixed an issue where the update-remote-system mirroring command was returning an incorrect error message AttributeError: 'unicode' object has no attribute 'get'.
  • Added a default outgoing mapper.
  • Documentation and metadata improvements.

Mappers#

Splunk - Notable Generic Outgoing Mapper#

Fixed an issue in the Outgoing Mapper where whitespace in mapped values were causing an incorrect output.


Symantec Data Loss Prevention (Beta) Pack v1.1.2#

Integrations#

Symantec Data Loss Prevention (Beta)#

Fixed an issue where the fetch-incidents command created duplicate incidents in case the fetch limit was set to less than the number of incidents returned from Symantec DLP.


Trend Micro Apex One Pack v2.0.2#

Integrations#

Trend Micro Apex One#
  • Fixed an issue where authenticating would fail intermittently.
  • Updated the Docker image to: demisto/pycef:1.0.0.23290.

Twinwave Pack v1.0.4 (Partner Supported)#

Integrations#

Twinwave#
  • Fixed an issue with timestamp parsing when fetching incidents.
  • Updated the Docker image to: demisto/python3:3.9.6.22912.

Unit42 v2 Feed Pack v1.0.2#

Integrations#

Unit42 v2 Feed#

Breaking changes: Added the prefix of the parent technique to the Attack Pattern sub-technique.


VirusTotal Pack v2.1.7#

Integrations#

VirusTotal (API v3)#
  • Fixed an issue where the integration failed to parse the reserved Whois string.
  • Fixed an issue in the domain command where popularity ranks were miscalculated.

Whois Pack v1.2.5#

Integrations#

Whois#
  • Fixed an issue where the ip command failed to run when using proxy.
  • Updated the Docker image to: demisto/ippysocks:1.0.0.23955.
WhoisFix#

Fixed an issue where the domain command would fail on .in domains.


Zscaler Pack v1.1.8#

Integrations#

Zscaler#

Fixed an issue where the URL protocol was omitted from the results of the url command.


iDefense Pack v3.1.0#

Integrations#

iDefense Feed#

Fixed an issue where fetching indicators in Cortex XSOAR with a version below 6.5.0 would fail.


Assets#