Cortex XDR by Palo Alto Networks

Details
Content
Dependencies
Version History

Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.

Cortex XDR is a detection and response app that natively integrates network, endpoint, and cloud data to stop sophisticated attacks. Responding and managing these attacks requires security teams to reconcile data from multiple sources. Valuable time is lost shuttling between screens and executing repeatable tasks while an attack continues to manifest.

This Cortex XDR content pack contains the Palo Alto Networks Cortex XDR - Investigation and Response integration that enables direct execution of Cortex XDR actions within Cortex XSOAR. The Cortex XDR Incident Handling v3 playbook enables bidirectional incident updates between Cortex XDR and Cortex XSOAR.

What does this pack do?

The playbooks included in this pack help you save time and keep your incidents in sync. They also help automate repetitive tasks associated with Cortex XDR incidents:

Syncs and updates Cortex XDR incidents.
Triggers a sub-playbook to handle each alert by type.
Extracts and enriches all relevant indicators from the source alert.
Hunts for related IOCs.
Calculates the severity of the incident.
Interacts with the analyst to choose a remediation path or close the incident as a false positive based on the gathered information and incident severity.
Remediates the incident by blocking malicious indicators and isolating infected endpoints.

As part of this pack, you will also get out-of-the-box Cortex XDR incident type views, with incident fields and a full layout to facilitate analyst investigation. All of these are easily customizable to suit the needs of your organization.

For more information, visit our Cortex XSOAR Developer Docs

Cortex XDR Lite - Incident Handling

Automations

Name	Description
EntryWidgetNumberHostsXDR	Entry widget that returns the number of hosts in a Cortex XDR incident.
XDRDisconnectedEndpoints	The widget returns the number of the disconnected endpoints using xdr-get-endpoints command.
DBotGroupXDRIncidents	Train clustering model on Cortex XDR incident type.
XCloudResourcesPieWidget	XCLOUD dynamic section, showing the top ten resource types in a pie chart.
CortexXDRIdentityInformationWidget	This widget displays Cortex XDR identity information.
EntryWidgetNumberUsersXDR	Entry widget that returns the number of users that participated in a specified Cortex XDR incident.
CortexXDRInvestigationVerdict	This widget displays the incident verdict based on the 'Verdict' field.
XCloudRegionsPieWidget	XCLOUD dynamic section, showing the top ten regions types in a pie chart.
XDRConnectedEndpoints	The widget returns the number of the connected endpoints using xdr-get-endpoints command.
XDRSyncScript	Deprecated. No available replacement. Syncs a single incident between Demisto and XDR. This script always uses the xdr-get-incident-extra-data command and outputs to the context the entire incident JSON. When the incident is updated in XDR, the Demisto incident will be updated accordingly and the default playbook will rerun. When an incident is updated in Demisto, the script will execute the xdr-update-incident command and update the incident in XDR.
EntryWidgetNumberRegionsXCLOUD	Entry widget that returns the number of regions in a Cortex XDR incident.
EntryWidgetNumberResourcesXCLOUD	Entry widget that returns the number of resources in a Cortex XDR incident.
CortexXDRAdditionalAlertInformationWidget	This script retrieves additional original alert information from the context.
EntryWidgetPieAlertsXDR	Entry widget that returns a pie chart of alerts for a specified Cortex XDR incident by alert severity (low, medium, and high).
CortexXDRRemediationActionsWidget	This widget displays Cortex XDR remediation action information.
CortexXDRCloudProviderWidget	This script returns an HTML result of the cloud providers in the incident. The result will be displayed in the following font colors: AWS - red, GCP - green, Azure - blue.

Classifiers

Name	Description
Cortex XDR - Classifier	Classifies Cortex XDR incidents.
Cortex XDR Incident Handler - Classifier	Classifies Cortex XDR incidents.
XDR - Incoming Mapper	Maps incoming Cortex XDR incidents fields.
Cortex XDR - Outgoing Mapper	Maps outgoing Cortex XDR incidents fields.

Dashboards

Name	Description
Cortex XDR Events Grouping
Cortex XDR

Incident Fields

Name	Description
XDR High Severity Alert Count
XDR Similar Incidents
XDR Alerts
XDR device control violations
XDR Users
XDR Status v2
XDR Modification Time	The time the incident was modified in XDR
XDR URL
XDR Description
XDR Medium Severity Alert Count
XDR Disconnected endpoints
XDR Status	Deprecated from version 6.0.0. Please use XDR Status v2 instead
XDR Risky Users	Users that pose a risk, along with their scores retrieved from XDR.
XDR Alert Category
XDR File Name
XDR Network Artifacts
XDR Risky Host Count	The number of hosts identified as risky by Cortex XDR.
XDR Risky User Count	The number of risky users as specified in XDR.
XDR File SHA256
XDR Host Count
XDR manual severity
XDR File Artifacts
XDR Detection Time
XDR Notes
XDR Risky Hosts	Hosts that pose a risk, along with their scores retrieved from XDR.
XDR Resolve Comment
XDR MITRE Techniques
XDR MITRE Tactics
XDR Assigned User Email
XDR Starred
XDR Alert Search Results
XDR Low Severity Alert Count
XDR Investigation results
XDR User Count
XDR Assigned User Pretty Name
LastMirroredInTime	The last time the incident was mirrored in.
XDR Incident ID
XDR Alert Count
XDR Alert Name

Incident Types

Name	Description
Cortex XDR Port Scan
Cortex XDR - Lite
Cortex XDR Disconnected endpoints
Cortex XDR Device Control Violations
Cortex XDR Incident
Cortex XDR - XCLOUD Cryptomining
Cortex XDR - XCLOUD

Indicator Fields

Name	Description
XDR status	The indicator status in XDR.

Integrations

Name	Description
Cortex XDR - XQL Query Engine	Cortex XDR - XQL Query Engine enables you to run XQL queries on your data sources.
Palo Alto Networks Cortex XDR - Investigation and Response	Cortex XDR is the world's first detection and response app that natively integrates network, endpoint, and cloud data to stop sophisticated attacks.
Cortex XDR - IOC	Use the Cortex XDR - IOCs feed integration to sync indicators from Cortex XSOAR to Cortex XDR and back to Cortex XSOAR. Cortex XDR is the world's first detection and response app that natively integrates network, endpoint and cloud data to stop sophisticated attacks.

Layouts

Name	Description
Cortex XDR Disconnected endpoints
Cortex XDR Incident
Cortex XDR - XCLOUD
Cortex XDR Port Scan
Cortex XDR - Lite
Cortex XDR Device Control Violations

Playbooks

Name	Description
Cortex XDR IOCs - Push new IOCs to XDR	This is a sub-playbook of "Cortex XDR IOCs - Push new IOCs to XDR - Main" and should not be run on its own. This sub-playbook retrieves IOCs according to the users query input (passed from the main playbook) and pushes them into Cortex XDR, and marks them as "xdr_pushed" or "xdr_not_processed" for further processing.
Cortex XDR - Get entity alerts by MITRE tactics	This playbook is part of the Cortex XDR by Palo Alto Networks’ pack. This playbook searches alerts related to specific entities from Cortex XDR, on a given timeframe, based on MITRE tactics. Note: The playbook's inputs enable manipulating the execution flow. Read the input descriptions for details.
Cortex XDR IOCs - Push new IOCs to XDR (Main)	This is the main playbook for Cortex XDR IOCs sync. The playbook will "sync" IOCs into Cortex XDR by pushing new IOCs in and disabling expired IOCs. The playbook utilizes Cortex XSOAR tags and loops in order to find IOCs using a query provided by the user. The playbook will iterate over the IOCs pushing them in batches into Cortex XDR. In the second phase, the playbook will disable expired IOCs that were previously pushed into Cortex XDR. We recommend running this playbook as a job a twice a day after disabling the integration sync function.
Cortex XDR - First SSO Access	Deprecated. Use `Cortex XDR - Identity Analytics` instead. Investigates a Cortex XDR incident containing First SSO access from ASN in organization or First successful SSO connection from a country in organization. The playbook executes the following: IP and User Enrichment. User Investigation - Using 'User Investigation - Generic' sub-playbook. Set alert's verdict - Using 'Cortex XDR - First SSO access - Set Verdict' sub-playbook. Response based on the verdict. The playbook is used as a sub-playbook in ‘Cortex XDR Incident Handling - v3’.
Cortex XDR - Quarantine File v2	This playbook accepts "file path", "file hash" and "endpoint id" to quarantine a selected file and wait until the action is done. All 3 inputs are required to quarantine a single file. This playbook does not support the quarantine of multiple files.
Cortex XDR - Get File Path from alerts by hash	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook assists in retrieving file paths from the Cortex XDR incident by hash.
Cortex XDR - Block File	Use this playbook to add files to Cortex XDR block list with a given file SHA256 playbook input.
Cortex XDR Remote PsExec with LOLBIN command execution alert	The "Remote PsExec-like LOLBIN Command Execution" playbook is designed to address and respond to alerts indicating suspicious activities related to remote PsExec-like LOLBIN command execution from an unsigned non-standard source. The playbook aims to efficiently: Get the alert data and check if the execution is blocked. If not will terminate the process (manually by default). Enrich any entities and indicators from the alert and find any related campaigns. Perform command analysis to provide insights and a verdict for the executed command. Perform further endpoint investigation using Cortex XDR. Checks for any malicious verdicts found to raise the severity of the alert. Perform automatic/manual remediation response by blocking any malicious indicators found. The playbook is designed to run as a sub-playbook in "Cortex XDR Incident Handling - v3 & Cortex XDR Alerts Handling". It depends on the data from the parent playbooks and cannot be used as a standalone version.
Cortex XDR device control violations	Queries Cortex XDR for device control violations for the specified hosts, IP address, or XDR endpoint ID. It then communicates via email with the involved users to understand the nature of the incident and if the user connected the device. All the collected data will be displayed in the XDR device control incident layout. This playbook can also be associated with Cortex XDR device control violation job to periodically query and investigate XDR device control violations. In this configuration, the playbook will only communicate with the involved users.
Cortex XDR - Retrieve File Playbook	Deprecated. Use Cortex XDR - Retrieve File Playbook v2 instead.
Cortex XDR - False Positive Incident Handling	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles false-positive incident closures for Cortex XDR - Malware investigation.
Cortex XDR - Execute commands	Deprecated. Use the `xdr-script-commands-execute` command instead. Initiates a new script execution of shell commands.
Cortex XDR - Malware Investigation	Investigates a Cortex XDR incident containing internal malware alerts. The playbook: Enriches the infected endpoint details. The analyst can manually retrieve the malicious file. Performs file detonation. The playbook is used as a sub- playbook in ‘Cortex XDR Incident Handling - v2’.
Cortex XDR - True Positive Incident Handling	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles a true-positive incident closure for Cortex XDR - Malware Investigation.
Cortex XDR - Identity Analytics	The `Cortex XDR - Identity Analytics` playbook is designed to handle Cortex XDR Identity Analytics alerts and executes the following: Analysis: Enriches the IP address and the account, providing additional context and information about these indicators. Verdict: Determines the appropriate verdict based on the data collected from the enrichment phase. Investigation: Checks for related Cortex XDR alerts to the user by Mitre tactics to identify malicious activity. Checks for specific arguments for malicious usage from Okta using the 'Okta User Investigation' sub-playbook. Checks for specific arguments for malicious usage from Azure using the 'Azure User Investigation' sub-playbook. Verdict Handling: Handles malicious alerts by initiating appropriate response actions, including blocking malicious IP addresses and revoking or clearing user's sessions. Handles non-malicious alerts identified during the investigation. The playbook is used as a sub-playbook in ‘Cortex XDR Alerts Handling v2’.
Cortex XDR - Run script	Initiates a new endpoint script execution action using a provided script unique id from Cortex XDR script library.
Cortex XDR IOCs - Disable expired IOCs in XDR	This is a sub-playbook of "Cortex XDR IOCs - Push new IOCs to XDR (Main)". This playbook disables indicators in Cortex XDR after they expire from Cortex XSOAR using a loop and querying on the "xdr_pushed" tag.
JOB - Cortex XDR query endpoint device control violations	A job to periodically query Cortex XDR device control violations by a given timestamp in a relative date playbook input. The collected data, if found, will be generated for a new incident. You can configure the created new incident type in the playbook input and use the XDR Device Control Violations incident type to associate it with the response playbook. The job includes an incident type with a dedicated layout to visualize the collected data. To configure the job correctly: Create a new recurring job. Configure the recurring schedule. Add a name. Configure the type to XDR Device Control Violations. Configure this playbook as the job playbook. The scheduled run time and the timestamp relative date should be identical. If the job recurs every 7 days, the timestamp should be 7 days as well.
Cortex XDR - Isolate Endpoint	This playbook accepts an XDR endpoint ID and isolates it using the 'Palo Alto Networks Cortex XDR - Investigation and Response' integration.
Cortex XDR - Large Upload	The playbook investigates Cortex XDR incidents involving large upload alerts. The playbook is designed to run as a sub-playbook of ‘Cortex XDR Alerts Handling v2’. The playbook consists of the following procedures: Searches for similar previous incidents that were closed as false positives. Enrichment and investigation of the initiator and destination hostname and IP address. Enrichment and investigation of the initiator user, process, file, or command if it exists. Detection of related indicators and analysis of the relationship between the detected indicators. Utilize the detected indicators to conduct threat hunting. Blocks detected malicious indicators. Endpoint isolation. This playbook supports the following Cortex XDR alert names: Large Upload (Generic) Large Upload (SMTP) Large Upload (FTP) Large Upload (HTTPS)
Cortex XDR - Unisolate Endpoint	This playbook unisolates endpoints according to the endpoint ID that is provided in the playbook input.
Cortex XDR - Display Risky Assets	This playbooks displays risky users and risky hosts, as detected by Cortex XDR's ITDR module. The data is displayed in incident fields in Cortex XDR incidents.
Cortex XDR - kill process	Deprecated. Use the `xdr-kill-process-script-execute` command instead. Initiates a new endpoint script execution kill process and retrieves the results.
Cortex XDR - Port Scan - Adjusted	The playbook investigates Cortex XDR incidents involving port scan alerts. The playbook is designed to run as a sub-playbook of ‘Cortex XDR Alerts Handling’. The playbook consists of the following procedures: Enrichment and investigation of the scanner and scanned hostname and IP address. Enrichment and investigation of the initiator user, process, file, or command if it exists. Detection of related indicators and analysis of the relationship between the detected indicators. Utilize the detected indicators to conduct threat hunting. Blocks detected malicious indicators. Endpoint isolation. This playbook supports the following Cortex XDR alert names: Suspicious port scan Port scan by suspicious process Highly suspicious port scan Port scan.
Cortex XDR - Search and Compare Process Executions - XQL Engine	This playbook is a generic playbook that receives a process name and a command-line argument. It uses the "Cortex XDR - XQL Engine" integration to search for the given process executions and compare the command-line argument from the results to the command-line argument received from the playbook input. Note: Under the "Processes" input, the playbook should receive an array that contains the following keys: value: process name commands: command-line arguments
Cortex XDR - AWS IAM user access investigation	Deprecated. Use `Cortex XDR - Cloud IAM User Access Investigation` instead. Investigate and respond to Cortex XDR Cloud alerts where an AWS IAM user`s access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS environments. Penetration testing tool attempt Penetration testing tool activity Suspicious API call from a Tor exit node This is a beta playbook, which lets you implement and test pre-release software. At the moment we support AWS but are working towards multi-cloud support. Since the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the content to help us identify issues, fix them, and continually improve.
Cortex XDR - Possible External RDP Brute-Force	This playbook investigates a “Possible External RDP Brute Force” XDR Alert by gathering user, IP, and hostname information, and investigating if the following suspicious elements exists: "IP Reputation" - Dbot Score is 2-3 "Source geolocation" - RDP Connection made from rare geo-location Related to campaign - IP address is related to campaign, based on TIM module Hunting results - the hunt for indicators related to the source IP and the related campaign returned results XDR Alert search - XDR Alerts that related to the same username and endpoint, and to the MITRE tactics that comes after "Credential Access", were found. Risky User - The user that was identified in the attack was given a medium or high score by XDR's ITDR module. Risky Host - The destination host that was identified in the attack was given a medium or high score by XDR's ITDR module. Set verdict method: Critical Element - The "Critical Element" input allows you to select a specific element that, if identified as suspicious, the investigation's final verdict will be deemed a "True Positive". Final Verdict - Each suspicious element is being added to an array called "Suspicious Elements", which is used to count potential security threats. The array size will be compared to a final threshold. If the size is greater than or equal to the threshold, the investigation's final verdict will be deemed a "True Positive". User Engagement - The "UserEngagementThreshold" input allows you to set the number of suspicious elements that trigger user engagement. When this threshold is met, an email will be sent to the user and their manager asking for authorization of RDP activity. If the RDP activity is not authorized by the user, the investigation's final verdict will be deemed a "True Positive".
Cortex XDR Lite - Incident Handling	The Cortex XDR Lite - Incident Handling playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident and executes the following: Analysis: Enriches all the indicators from XDR incidents and alerts, providing additional context and information about these indicators. Investigation: Checks for related XDR alerts to the user and the endpoint by Mitre tactics to identify malicious activity. Checks for specific arguments for malicious usage from the command line. Verdict: Determines the incident's verdict by considering indicator enrichment results, user and host risk levels, command line analysis, and the number of related XDR alerts (medium severity or higher) to the user and the endpoint by Mitre tactics. Verdict Handling: Handles malicious incidents by initiating appropriate response actions, including blocking malicious indicators, isolating endpoints, and disabling user accounts. To utilize this playbook as the default for handling XDR incidents, the classifier should be empty, and the selected incident type should be `Cortex XDR - Lite`. The selected Mapper (incoming) should be `XDR - Incoming Mapper`, and the selected Mapper (outgoing) should be Cortex `XDR - Outgoing Mapper`.
Cortex XDR Alerts Handling	Deprecated. Use Cortex XDR - Alerts Handling v2 instead. When using the v2 version, enabling globally shared context for that playbook is required because outputs are no longer declared.
Cortex XDR - First SSO Access - Set Verdict	Deprecated. Use `Cortex XDR - Identity Analytics` instead. This playbook determines the alert’s verdict based on the results of multiple checks. By default, if at least two of the checks' results are true, the verdict is set to malicious. else if only one check's results are true, the verdict is set to suspicious. If none of the conditions is true, the verdict is set to non-malicious. It is possible to change the threshold value of the inputs to change the sensitivity of the verdict.
Cortex XDR Malware - Incident Enrichment	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook enriches the Cortex XDR incident. The enrichment is done on the involved endpoint and Mitre technique ID information, and sets the 'Malware-Investigation and Response' layout.
Cortex XDR Malware - Investigation And Response	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook investigates Cortex XDR malware incidents. It uses: Cortex XDR insights Command Line Analysis Dedup Sandbox hash search and detonation Cortex XDR enrichment Incident Handling (True/False Positive).
Cortex XDR incident handling v2	Deprecated. Use `Cortex XDR incident handling v3` instead. This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident. The playbook syncs and updates new XDR alerts that construct the incident and triggers a sub-playbook to handle each alert by type. Then, the playbook performs enrichment on the incident's indicators and hunting for related IOCs. Based on the severity, it lets the analyst decide whether to continue to the remediation stage or close the investigation as a false positive. After the remediation, if there are no new alerts, the playbook stops the alert sync and closes the XDR incident and investigation.
Cortex XDR Incident Sync	Deprecated. No available replacement. Compares incidents in Palo Alto Networks Cortex XDR and Cortex XSOAR, and updates the incidents appropriately. When an incident is updated in Cortex XSOAR, the XDRSyncScript will update the incident in XDR. When an incident is updated in XDR, the XDRSyncScript will update the incident fields in Cortex XSOAR and rerun the current playbook. Do not use this playbook when enabling the incident mirroring feature added in XSOAR version 6.0.0.
Cortex XDR - quarantine file	Deprecated. Use Cortex XDR - quarantine file v2 instead.
Cortex XDR - Port Scan	Deprecated. Use the Cortex XDR - Port Scan - Adjusted playbook instead. Investigates a Cortex XDR incident containing internal port scan alerts. The playbook: Syncs data with Cortex XDR Enriches the hostname and IP address of the attacking endpoint Notifies management about host compromise Escalates the incident in case of lateral movement alert detection Hunts malware associated with the alerts across the organization Blocks detected malware associated with the incident Blocks IPs associated with the malware Isolates the attacking endpoint Allows manual blocking of ports that were used for host login following the port scan
Cortex XDR - Retrieve File v2	This playbook retrieves files from selected endpoints. You can retrieve up to 20 files, from 10 endpoints. Inputs for this playbook are: A comma-separated list of endpoint IDs. A comma-separated list of file paths for your operating system, either Windows, Linux, or Mac. At least one file path is required.
Cortex XDR - Check Action Status	Checks the action status of an action ID. \nEnter the action ID of the action whose status you want to know.
Cortex XDR incident handling v3	This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident. The playbook syncs and updates new XDR alerts that construct the incident and triggers a sub-playbook to handle each alert by type. Then, the playbook performs enrichment on the incident’s indicators and hunts for related IOCs. Based on the severity, it lets the analyst decide whether to continue to the remediation stage or close the investigation as a false positive. After the remediation, if there are no new alerts, the playbook stops the alert sync and closes the XDR incident and investigation. For performing the bidirectional sync, the playbook uses the incoming and outgoing mirroring feature added in XSOAR version 6.0.0. After the Calculate Severity - Generic v2 sub-playbook’s run, Cortex XSOAR will be treated as the single source of truth for the severity field, and it will sync only from Cortex XSOAR to XDR, so manual changes for the severity field in XDR will not update in the XSOAR incident.
Cortex XDR - Search and Compare Process Executions - XDR Alerts	This playbook is a generic playbook that receives a process name and command-line argument. It uses the "Cortex XDR IR" integration to search for the given process executions inside Cortex XDR alerts and compares the command-line argument from the results to the command-line argument received from the playbook input. Note: Under the "Processes" input, the playbook should receive an array that contains the following keys: value: process name commands: command-line arguments.
Cortex XDR - Retrieve File by sha256	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. The playbook facilitates the process of retrieving files from the investigated devices, unzipping the retrieved files, and loading them into the War Room. This playbook consists of the following steps: Initially, the sub-playbook 'Cortex XDR - Get File Path from alerts by hash' examines the SHA256 file hashes and retrieves the file paths associated with each hash. As soon as the SHA256 hashes, file paths, and endpoint IDs are obtained, the playbook attempts to retrieve the files from all the investigated devices. Once the file retrieval automation has been completed successfully, the playbook will unzip the files and load them into the War Room. Note: When retrieving multiple files, ensure that the SHA256 input is set to run in a loop.
Cortex XDR - check file existence	Deprecated. Use `xdr-file-exist-script-execute` command instead. Initiates a new endpoint script execution to check if the file exists and retrieve the results.
Cortex XDR - delete file	Deprecated. Use the `xdr-file-delete-script-execute` command instead. Initiates a new endpoint script execution to delete the specified file and retrieve the results.
Cortex XDR disconnected endpoints	A Job to periodically query disconnected Cortex XDR endpoints with a provided last seen time range playbook input. The Collected data, if found will be generated to a CSV report, including a detailed list of the disconnected endpoints. The report will be sent to the recipient's provided email addresses in the playbook input. The playbook includes an incident type with a dedicated layout to visualize the collected data. To set the job correctly, you will need to. Create a new recurring job. Set the recurring schedule. Add a name. Set type to Cortex XDR disconnected endpoints. Set this playbook as the job playbook. https://xsoar.pan.dev/docs/incidents/incident-jobs The scheduled run time and the timestamp relative date should be identical, If the job is recurring every 7 days, the time range should be 7 days as well.
Cortex XDR - Execute snippet code script	Deprecated. Use the `xdr-snippet-code-script-execute` command instead. Initiates a new endpoint script execution action using the provided snippet code and retrieves the file results.
Cortex XDR - PrintNightmare Detection and Response	The playbook targets specific PrintNightmare rules written by Cortex XDR for both vulnerabilities: CVE-2021-1675 LPE CVE-2021-34527 RCE This playbook includes the following tasks: Containment of files, endpoints, users and IP Addresses Enrichment of indicators Data acquisition of system info and files using Cortex XDR Eradicating compromised user credentials ** Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
Cortex XDR Alerts Handling v2	This playbook is used to loop over every alert in a Cortex XDR incident. Supported alert categories: Malware Port Scan Cloud Cryptojacking Cloud Token Theft RDP Brute-Force First SSO Access Cloud IAM User Access Investigation Identity Analytics
Cortex XDR - Search And Block Software - XQL Engine	This playbook will search a file or process activity of a software by a given image file name using Cortex XDR XQL Engine. The analyst can then choose the files to block.
Cortex XDR Incident Handling	Deprecated. Use `Cortex XDR incident handling v3` instead. This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident. The playbook syncs and updates new XDR alerts that construct the incident. It enriches indicators using Threat Intelligence integrations and Palo Alto Networks AutoFocus. The incident's severity is then updated based on the indicators reputation and an analyst is assigned for manual investigation. If chosen, automated remediation with Palo Alto Networks FireWall is initiated. After a manual review by the SOC analyst, the XDR incident is closed automatically. *** Note - The XDRSyncScript used by this playbook sets data in the XDR incident fields that were released to content from the Demisto server version 5.0.0. For Demisto versions under 5.0.0, please follow the 'Palo Alto Networks Cortex XDR' documentation to upload the new fields manually.
Cortex XDR - Possible External RDP Brute-Force - Set Verdict	This playbook creating an array called "Suspicious Elements", which is used to count potential security threats. The following elements can be added to the array: "IP Reputation" - DBot Score is 2-3 "Source geolocation" - RDP Connection made from rare geo-location Related to campaign - IP address is related to campaign, based on TIM module Hunting results - the hunt for indicators related to the source IP and the related campaign returned results XDR Alert search - XDR Alerts that related to the same username and endpoint, and to the MITRE tactics that comes after "Credential Access", were found. Risky User - one or more risky users are involved in the incident, as identified by the Cortex XDR - IR integration's ITDR module. Risky Host - one or more risky hosts are involved in the incident, as identified by the Cortex XDR - IR integration's ITDR module. The array will then be outputted and its size will be compared to a final threshold. If the size is greater than or equal to the threshold, the investigation's final verdict will be deemed a "True Positive."
Calculate Severity - Cortex XDR Risky Assets	Calculates a severity for the incident based on the involvement of risky users or risky hosts in the incident, as determined by the Cortex XDR ITDR module.
Cortex XDR - Endpoint Investigation	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles all the endpoint investigation actions available with Cortex XSOAR, including the following tasks: Pre-defined MITRE Tactics Host fields (Host ID) Attacker fields (Attacker IP, External host) MITRE techniques File hash (currently, the playbook supports only SHA256) Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details.

Widgets

Name	Description
Cortex XDR Groups - Scatter
Cortex XDR Top 10 File SHA256
Cortex XDR Active Device Control Violations Incidents
Cortex XDR Disconnected Endpoints
Cortex XDR Top 10 Categories
Cortex XDR Active High Severity Incidents
Cortex XDR Top 10 Users
Cortex XDR Top 10 Alerts
Cortex XDR Connected Endpoints
Cortex XDR Grouping - Incidents
Cortex XDR Unassigned Incidents
Cortex XDR Active Medium Severity Incidents
Cortex XDR Top 10 Hosts
Cortex XDR Top 10 MITRE Tactics
Cortex XDR Top 10 MITRE Techniques
Cortex XDR Active Low Severity Incidents
Cortex XDR Closed Incidents
Cortex XDR Closed Device Control Violations
Cortex XDR Top 10 files
Cortex XDR Grouping - Summary

Required Content Packs (7)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
MITRE ATT&CK	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR
TIM - Indicator Auto-Processing	By: Cortex XSOAR

Optional Content Packs (13)

Pack Name	Pack By
AWS - IAM	By: Cortex XSOAR
Active Directory Query	By: Cortex XSOAR
AutoFocus by Palo Alto Networks	By: Cortex XSOAR
Azure Enrichment and Remediation	By: Cortex XSOAR
Brute Force	By: Cortex XSOAR
Cloud Incident Response	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Atlassian Jira	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Nutanix Hypervisor	By: Cortex XSOAR
Okta	By: Cortex XSOAR
Comprehensive Investigation by Palo Alto Networks	By: Cortex XSOAR
ServiceNow	By: Cortex XSOAR

All level dependencies (9)

Pack Name	Pack By
Filters And Transformers	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR
Base	By: Cortex XSOAR
MITRE ATT&CK	By: Cortex XSOAR
TIM - Indicator Auto-Processing	By: Cortex XSOAR

6.1.28 - 953931 (April 14, 2024)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Fixed an issue in CoreIRApiModule regarding close reason resolution.

Related pull requests:
- 33867

Download

6.1.27 - R940291 (April 7, 2024)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Fixed an issue where alerts, network_artifacts, file_artifacts is not being populated on new incidents when bringing them into XSOAR.
Fixed an issue where the alert count was reset after docker timeout.
Fixed a bug where the response from the API was not parsed correctly.

Related pull requests:
- 33558
- 33549
- 33527
- 33239
- 33450
- 33493
- 33542
- 33563
- 33582
- 33565
- 33578
- 33577
- 33368
- 33567
- 33564
- 33517
- 33594
- 33588
- 33417
- 33589
- 33599
- 33605
- 33593
- 33543
- 33574
- 33606

Download

6.1.26 - 924992 (March 31, 2024)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Fixed an issue where authentication failed due to deprecated authentication configuration.
Updated the Docker image to: demisto/python3.10.14.91134.

Related pull requests:
- 33620

Download

6.1.25 - 907391 (March 21, 2024)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Improved implementation of fetch-incidents and xdr-get-incident-extra-data to better fetch incidents alerts according to the config map.
Updated the Docker image to: demisto/python3.10.14.90585.

Related pull requests:
- 32482
- 32709
- 32742
- 32725
- 32677
- 32740
- 32223
- 32531
- 32703
- 31584
- 22875
- 23810
- 24259
- 24291
- 31573
- 32431
- 32738
- 32743
- 32685
- 32729
- 32556
- 32731
- 32773
- 32303
- 32794
- 32870
- 32767
- 32920
- 32795
- 32678
- 32863
- 32783
- 32937
- 32854
- 32120
- 32919
- 32873
- 32855
- 32119
- 32356
- 32349
- 32350
- 32041
- 32352
- 32862
- 32514
- 32942
- 32931
- 32938
- 32763
- 32762
- 32741
- 32744
- 32745
- 32752
- 32753
- 32754
- 32759
- 32761
- 32721
- 32940
- 32359
- 32880
- 32946
- 32944
- 32687
- 32573
- 32826
- 32462
- 31070
- 31110
- 31141
- 31145
- 31120
- 31063
- 30661
- 31130
- 30943
- 31132
- 30993
- 31151
- 31153
- 31164
- 30978
- 31163
- 30901
- 31158
- 31114
- 31172
- 30897
- 31122
- 31085
- 31127
- 31182
- 31162
- 30955
- 31178
- 31017
- 31185
- 31169
- 30577
- 31184
- 31128
- 31147
- 31198
- 31199
- 31203
- 31201
- 31202
- 31200
- 31206
- 31205
- 31204
- 31208
- 31207
- 31211
- 31214
- 31215
- 31216
- 31218
- 31217
- 31082
- 31219
- 31193
- 31135
- 31161
- 31195
- 31221
- 31186
- 31222
- 31196
- 31197
- 30641
- 31213
- 30647
- 31225
- 30873
- 31168
- 31228
- 31226
- 31236
- 30393
- 31233
- 31242
- 31183
- 31245
- 31254
- 30525
- 30501
- 31268
- 31179
- 31170
- 31247
- 31084
- 30663
- 31190
- 30712
- 31252
- 30493
- 25523
- 31144
- 31265
- 31253
- 31262
- 31154
- 30959
- 31234
- 31276
- 31286
- 31264
- 31272
- 31287
- 31288
- 31290
- 31289
- 31291
- 31292
- 31293
- 31295
- 31294
- 31256
- 31189
- 31296
- 31271
- 31314
- 31166
- 31101
- 31220
- 31021
- 31308
- 31311
- 31269
- 31312
- 31297
- 31315
- 31192
- 31267
- 31232
- 31310
- 31246
- 31300
- 31273
- 31322
- 31320
- 31324
- 29092
- 31674
- 32888
- 32879
- 32912
- 31941
- 32775
- 32869
- 32787
- 32952
- 32502
- 32851
- 32964
- 32856
- 32897
- 32882
- 32941
- 32246
- 32953
- 32923
- 31917
- 32972
- 32593
- 32585
- 32642
- 32672
- 32662
- 32660
- 32647
- 32628
- 32569
- 32947
- 32973
- 32975
- 32462
- 32974
- 32955
- 32881
- 32615
- 32446
- 32877
- 32976
- 32958
- 32966
- 32648
- 32646
- 32645
- 32637
- 32631
- 32625
- 32624
- 32604
- 32582
- 32571
- 32565
- 31633
- 32611
- 32779
- 32992
- 31947
- 32951
- 32868
- 33002
- 32383
- 33008
- 33007
- 33009
- 33010
- 32995
- 32996
- 32999
- 32393
- 32760
- 32671
- 32667
- 32666
- 32659
- 32658
- 32656
- 32655
- 32654
- 32572
- 32674
- 32627
- 32983
- 32963
- 33000
- 33019
- 32956
- 33024
- 32990
- 32876
- 32964
- 32856
- 32897
- 32882
- 32941
- 32778
- 33042
- 33040
- 33044
- 33035
- 32949
- 32993
- 33056
- 31491
- 31130
- 30943
- 31132
- 30993
- 31151
- 31153
- 31164
- 30978
- 31163
- 30901
- 31158
- 31114
- 31172
- 30897
- 31122
- 31085
- 31127
- 31182
- 31162
- 30955
- 31178
- 31017
- 31185
- 31169
- 30577
- 31184
- 31128
- 31147
- 31198
- 31199
- 31203
- 31201
- 31202
- 31200
- 31206
- 31205
- 31204
- 31208
- 31207
- 31211
- 31214
- 31215
- 31216
- 31218
- 31217
- 31082
- 31219
- 31193
- 31135
- 31161
- 31195
- 31221
- 31186
- 31222
- 31196
- 31197
- 30641
- 31213
- 30647
- 31225
- 30873
- 31168
- 31228
- 31226
- 31236
- 30393
- 31233
- 31242
- 31183
- 31245
- 31254
- 30525
- 30501
- 31268
- 31179
- 31170
- 31247
- 31084
- 30663
- 31190
- 30712
- 31252
- 30493
- 25523
- 31144
- 31265
- 31253
- 31262
- 31154
- 30959
- 31234
- 31276
- 31286
- 31264
- 31272
- 31287
- 31288
- 31290
- 31289
- 31291
- 31292
- 31293
- 31295
- 31294
- 31256
- 31189
- 31296
- 31271
- 31314
- 31166
- 31101
- 31220
- 31021
- 31308
- 31311
- 31269
- 31312
- 31297
- 31315
- 31192
- 31267
- 31232
- 31310
- 31246
- 31300
- 31273
- 31322
- 31320
- 31324
- 29092
- 33053
- 32633
- 33055
- 32776
- 32977
- 33065
- 32943
- 33080
- 33005
- 33057
- 33087
- 32961
- 33086
- 33001
- 33003
- 31985
- 33088
- 33093
- 33067
- 33033
- 32819
- 33054
- 33095
- 32979
- 33031
- 33094

Download

6.1.24 - 904622 (March 20, 2024)

Playbooks

Cortex XDR incident handling v3

Updated the conditional task that determines whether to continue with the investigation and response to any unhandled alerts if they are found.

Cortex XDR Alerts Handling v2

Added a new task to set context key for unhandled alerts.

Related pull requests:
- 33298

Download

6.1.23 - R898707 (March 18, 2024)

Playbooks

Cortex XDR incident handling v3

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Cortex XDR - Port Scan - Adjusted

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Cortex XDR Lite - Incident Handling

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Related pull requests:
- 33201

Download

6.1.22 - 893615 (March 16, 2024)

Layouts

Cortex XDR Incident
Added a dedicated tab for the "Large Upload" alert handling.

Playbooks

New: Cortex XDR - Large Upload

The playbook investigates Cortex XDR incidents involving large upload alerts. The playbook is designed to run as a sub-playbook of ‘Cortex XDR Alerts Handling v2’.
The playbook consists of the following procedures:
Searches for similar previous incidents that were closed as false positives.
Enrichment and investigation of the initiator and destination hostname and IP address.
Enrichment and investigation of the initiator user, process, file, or command if it exists.
Detection of related indicators and analysis of the relationship between the detected indicators.
Utilize the detected indicators to conduct threat hunting.
Blocks detected malicious indicators.
Endpoint isolation.
This playbook supports the following Cortex XDR alert names:
Large Upload (Generic)
Large Upload (SMTP)
Large Upload (FTP)
Large Upload (HTTPS) (Available from Cortex XSOAR 6.10.0).

Cortex XDR Alerts Handling v2

Added the 'Cortex XDR - Large Upload' sub-playbook.

Cortex XDR - Search and Compare Process Executions - XDR Alerts

Updated the playbook description.

Related pull requests:
- 32867
- 33201

Download

6.1.21 - 874766 (March 7, 2024)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Improved implementation.

Related pull requests:
- 33249

Download

6.1.20 - 873658 (March 6, 2024)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Added support for mirrored flexible close-reason mapping from Cortex XSOAR > Cortex XDR and vice-versa.

Related pull requests:
- 33140

Download

6.1.19 - 871927 (March 6, 2024)

Integrations

Cortex XDR - IOC

Added a functionality to display XSOAR indicator link in XDR when indicator_link is received as the comment.
Updated the Docker image to: demisto/python3:3.10.13.89009.

Related pull requests:
- 32681
- 33194
- 33196
- 33176
- 33177
- 33114
- 33183
- 33181
- 33085
- 33171
- 33184
- 33020
- 33202
- 33170
- 33058
- 33141
- 33062
- 33159
- 33154
- 33096

Download

6.1.18 - 865088 (March 3, 2024)

Layouts

Cortex XDR Incident
Added a dedicated tab for Identity Analytics alerts handling.

Mappers

XDR - Incoming Mapper

Added a new mapping for the incident field alert tags.

Playbooks

Cortex XDR Alerts Handling v2

Added a flow for the new Identity Analytics playbook.

New: Cortex XDR - Identity Analytics

New: The Cortex XDR - Identity Analytics playbook is designed to handle Cortex XDR Identity Analytics alerts and executes the following:
Analysis:

Enriches the IP address and the account, providing additional context and information about these indicators.
Verdict:
Determines the appropriate verdict based on the data collected from the enrichment phase.
Investigation:
Checks for related Cortex XDR alerts to the user by Mitre tactics to identify malicious activity.
Checks for specific arguments for malicious usage from Okta using the 'Okta User Investigation' sub-playbook.
Checks for specific arguments for malicious usage from Azure using the 'Azure User Investigation' sub-playbook.
Verdict Handling:
Handles malicious alerts by initiating appropriate response actions, including blocking malicious IP addresses and revoking or clearing user's sessions.
Handles non-malicious alerts identified during the investigation.
The playbook is used as a sub-playbook in ‘Cortex XDR Alerts Handling v2’.
(Available from Cortex XSOAR 6.10.0).

Cortex XDR - First SSO Access - Set Verdict

Deprecated. Use Cortex XDR - Identity Analytics instead.

Cortex XDR - First SSO Access

Deprecated. Use Cortex XDR - Identity Analytics instead.

Related pull requests:
- 32470

Download

6.1.17 - 833530 (February 17, 2024)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Fixed an issue where the 'Resolved - Security Testing' close reason was not mirrored properly.

Related pull requests:
- 32856

Download

6.1.16 - 829761 (February 15, 2024)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Updated the outgoing mirroring process to also check the close reason of the incident, if needed.
Updated the name of the schema to Cortex XDR Incident Schema.
Updated the Docker image to: demisto/python3:3.10.13.87159.

Mappers

Cortex XDR - Outgoing Mapper

Added the field close_reason to the mapper.
Added the field status to the Common Mapping.
Added the incident type Malware Investigation and Response to the outgoing mapper.

Related pull requests:
- 32359

Download

6.1.15 - R828628 (February 14, 2024)

Playbooks

Cortex XDR Lite - Incident Handling

Updated the description of the 'Cortex XDR - Lite Incident Handling' playbook.

Related pull requests:
- 32861

Download

6.1.14 - 819156 (February 11, 2024)

Playbooks

Cortex XDR device control violations

Added a conditional task to check if the user's email was retrieved from Active Directory.

Related pull requests:
- 32780

Download

6.1.13 - 815435 (February 8, 2024)

Integrations

Cortex XDR - IOC

Temporarily disabled the iocs_to_keep functionality due to an issue in the XDR API.
Added the zip argument to xdr-iocs-create-sync-file, to return a zipped file.
Added the set_time argument to xdr-iocs-create-sync-file, saving the command run timestamp, effecting future indicator synchronizations by the integration (indicators modified before this time will be ignored).
Added logs
Updated the docker image to: demisto/python3:3.10.13.87159.

Related pull requests:
- 32788

Download

6.1.12 - 806093 (February 5, 2024)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Documentation and metadata improvements.
Updated the Docker image to: demisto/python3:3.10.13.86272.

Related pull requests:
- 32614

Download

6.1.11 - 803390 (February 4, 2024)

Incident Fields

XDR Medium Severity Alert Count
XDR Notes
XDR Host Count
XDR Risky Host Count
XDR Risky Hosts
XDR Assigned User Email
XDR Network Artifacts
XDR Risky Users
XDR Low Severity Alert Count
XDR Similar Incidents
XDR Alerts
XDR File Artifacts
XDR Assigned User Pretty Name
XDR MITRE Tactics
XDR Alert Count
XDR High Severity Alert Count
XDR Status
XDR Alert Name
XDR File Name
XDR User Count
XDR Users
XDR Resolve Comment
XDR Detection Time
XDR Alert Category
XDR Status v2
XDR MITRE Techniques
XDR Incident ID
XDR File SHA256
XDR Description
XDR URL

Playbooks

Cortex XDR Lite - Incident Handling

Added mapping for detectiontimestamp in ISO format to the layout.

Related pull requests:
- 32617

Download

6.1.10 - 798475 (February 1, 2024)

Playbooks

Cortex XDR - Retrieve File v2

Fixed an issue where the playbook failed if no endpoint ID was specified in the inputs.

Related pull requests:
- 32500

Download

6.1.9 - 793334 (January 30, 2024)

Playbooks

Cortex XDR - Retrieve File v2

Added a task to check if the "Cortex XDR - IR" integration is enabled.

Related pull requests:
- 32458

Download

6.1.8 - 790023 (January 28, 2024)

Playbooks

New: Cortex XDR IOCs - Disable expired IOCs in XDR

New: This is a sub-playbook of "Cortex XDR IOCs - Push new IOCs to XDR (Main)". This playbook disables indicators in Cortex XDR after they expire from Cortex XSOAR using a loop and querying on the "xdr_pushed" tag.

New: Cortex XDR IOCs - Push new IOCs to XDR

New: This is a sub-playbook of "Cortex XDR IOCs - Push new IOCs to XDR - Main" and should not be run on its own. This sub-playbook will retrieve IOCs according to the users query input (passed from the main playbook) and push them into XDR, and mark them as "xdr_pushed" or "xdr_not_processed" for further processing.

New: Cortex XDR IOCs - Push new IOCs to XDR (Main)

New: This is the main playbook for XDR IOCs sync. The playbook will "sync" IOCs into XDR by pushing new IOCs in and disabling expired IOCs. The playbook utilizes XSOAR tags and loops in order to find IOCs using a query provided by the user. The play book will iterate over the IOCs pushing them in batches into XDR. In the second phase the playbook will disable expired IOCs that were previously pushed into XDR. We recommend running this playbook as a Job a few times a day after disabling the integration sync function.

Related pull requests:
- 32274

Download

6.1.7 - 785965 (January 25, 2024)

Playbooks

Cortex XDR Remote PsExec with LOLBIN command execution alert

Fixed an issue with Entity Enrichment - Generic sub playbook

Related pull requests:
- 32409

Download

6.1.6 - 774340 (January 21, 2024)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Improved implementation of xdr-get-incidents by unifying similar code blocks.
Updated the Docker image to: demisto/python3:3.10.13.84405.

Related pull requests:
- 31333

Download

6.1.5 - 771322 (January 18, 2024)

Integrations

Cortex XDR - IOC

Fixed an issue where IOC with type URL failed to be sent to XDR in xdr-iocs-push.
Updated the Docker image to: demisto/python3:3.10.13.84405.

Related pull requests:
- 32277

Download

6.1.4 - 757686 (January 11, 2024)

Playbooks

Cortex XDR Remote PsExec with LOLBIN command execution alert

Updated the playbook description

Related pull requests:
- 31748
- 31197
- 30641
- 31213
- 30647
- 31225
- 30873
- 31168
- 31228
- 31226
- 31236
- 30393
- 31233
- 31242
- 31183
- 31245
- 31254
- 30525
- 30501
- 31268
- 31179
- 31170
- 31247
- 31084
- 30663
- 31190
- 30712
- 31252
- 30493
- 25523
- 31144
- 31265
- 31253
- 31262
- 31154
- 30959
- 31234
- 31276
- 31286
- 31264
- 31272
- 31287
- 31288
- 31290
- 31289
- 31291
- 31292
- 31293
- 31295
- 31294
- 31256
- 31189
- 31296
- 31271
- 31314
- 31166
- 31101
- 31220
- 31021
- 31308
- 31311
- 31269
- 31312
- 31297
- 31315
- 31192
- 31267
- 31232
- 31310
- 31246
- 31300
- 31273
- 31322
- 31320
- 31324
- 29092
- 31299
- 31251
- 31319
- 30783
- 30940
- 31334
- 31337
- 30110
- 31340
- 31331
- 31343
- 31148
- 31124
- 31327
- 31281
- 31350
- 31028
- 31230
- 31346
- 30990
- 30819
- 31373
- 31372
- 31352
- 31212
- 30981
- 31349
- 31362
- 31368
- 31376
- 31369
- 31370
- 31385
- 31123
- 31342
- 31347
- 31363
- 30637
- 31371
- 31097
- 31387
- 31386
- 30787
- 31378
- 31155
- 31357
- 31223
- 31159
- 31330
- 29709
- 31401
- 31237
- 31392
- 31403
- 31339
- 30694
- 31399
- 31410
- 31414
- 31302
- 31406
- 31329
- 31420
- 31419
- 31065
- 1
- 31318
- 31062
- 31417
- 31431
- 31427
- 31418
- 31323
- 31361
- 30157
- 31398
- 31428
- 31434
- 31439
- 31377
- 31446
- 31459
- 31433
- 31355
- 31451
- 31442
- 31471
- 31473
- 31229
- 31326
- 31146
- 31448
- 31470
- 31394
- 31472
- 31457
- 31475
- 31476
- 31474
- 31485
- 31140
- 31458
- 31460
- 31194
- 31481
- 31507
- 31328
- 31402
- 31510
- 31019
- 31482
- 31411
- 31483
- 31461
- 31136
- 31393
- 31520
- 31523
- 31099
- 31514
- 31522
- 31404
- 31517
- 31512
- 31167
- 31531
- 31533
- 31565
- 31496
- 31537
- 31479
- 31487
- 31535
- 31557
- 31421
- 31558
- 31550
- 31560
- 31562
- 31555
- 31554
- 31552
- 31556
- 31551
- 31553
- 31559
- 30983
- 31568
- 31547
- 31478
- 31573
- 31436
- 31518
- 31224
- 31495
- 31563
- 31574
- 31388
- 31191
- 31579
- 31536
- 31572
- 31527
- 31578
- 31438
- 31583

Download

6.1.3 - 755215 (January 10, 2024)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Fixed an issue where the following polling commands retrieved partial results when a list of arguments was provided:
- xdr-kill-process-script-execute
- xdr-file-exist-script-execute
- xdr-get-script-execution-status
- xdr-file-delete-script-execute

Related pull requests:
- 31956

Download

6.1.2 - 749444 (January 8, 2024)

Playbooks

Cortex XDR incident handling v3

Added playbook input sections to organize the inputs into related categories, which simplifies the playbook input visibility. (Available from Cortex XSOAR 8.5.0).

Cortex XDR Lite - Incident Handling

Added playbook input sections to organize the inputs into related categories, which simplifies the playbook input visibility. (Available from Cortex XSOAR 8.5.0).

Related pull requests:
- 31890

Download

6.1.1 - 731204 (January 1, 2024)

Scripts

DBotGroupXDRIncidents

Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31841
- 31794

Download

6.1.0 - 728763 (December 31, 2023)

Playbooks

New: Cortex XDR Alerts Handling v2

The new playbook does not get extra incident data for each alert, and does not declare any outputs. Alert extra data is instead retrieved in the Incident Handling v3 playbook. Using this playbook retains backward-compatibility while significantly reducing the size of the workplan state in the system and improving performance.

Cortex XDR Alerts Handling

Deprecated. Use Cortex XDR - Alerts Handling v2 instead. When using the v2 version, enabling globally shared context for that playbook is required because outputs are no longer declared.

Cortex XDR incident handling v3

Fixed an issue where the playbook was using Cortex XDR - Alerts Handling with global context enabled while still outputting outputs. The new playbook now has no outputs but is still executed with global context, significantly reducing the size of workplan state in the system.
Updated the playbook to use Cortex XDR - Alerts Handling v2.

Related pull requests:
- 31760

Download

6.0.11 - 7254058 (December 24, 2023)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Added support for Xpanse Marketplace scoping.
Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31582
- 31539

Download

6.0.10 - 7195147 (December 18, 2023)

Playbooks

Cortex XDR - First SSO Access

Added 'skipifunavailable' to "IP Enrichment" task.

Related pull requests:
- 31512

Download

6.0.9 - 7142940 (December 12, 2023)

Playbooks

Cortex XDR incident handling v3

Updated the "Cortex XDR Alerts Handling" sub-playbook to use the "InternalRanges" input instead of default static value.
Added a default value to the "InternalRanges" playbook input.

Cortex XDR Alerts Handling

Added a new playbook input for Internal IP ranges.
Updated the "Port Scan - adjusted" sub-playbook to get Internal IP ranges from inputs instead of static value.

Related pull requests:
- 31329

Download

6.0.8 - 7132024 (December 11, 2023)

Playbooks

Cortex XDR - Malware Investigation

The sub-playbook "Cortex XDR - Retrieve File" was replaced with a new version "Cortex XDR - Retrieve File v2".

Related pull requests:
- 31330

Download

6.0.7 - 7083058 (December 6, 2023)

Layouts

Cortex XDR Incident
Added a field for Command Line Verdict in the "XDR basic information" section under the "Case Info" tab of the XDR Incident layout.

Playbooks

Cortex XDR Alerts Handling

Added a sub-playbook to handle "Remote PsExec with LOLBIN command execution" alert.

New: Cortex XDR Remote PsExec with LOLBIN command execution alert

New: V The "Remote PsExec-like LOLBIN Command Execution" playbook is designed to address and respond to alerts indicating suspicious activities related to remote PsExec-like LOLBIN command execution from an unsigned non-standard source.
The playbook aims to efficiently:
Get the alert data and check if the execution is blocked. If not will terminate the process (manually by default).
Enrich any entities and indicators from the alert and find any related campaigns.
Perform command analysis to provide insights and a verdict for the executed command.
Perform further endpoint investigation using Cortex XDR.
Checks for any malicious verdicts found to raise the severity of the alert.
Perform automatic/manual remediation response by blocking any malicious indicators found.
The playbook is designed to run as a sub-playbook in ‘Cortex XDR Incident Handling - v3 & Cortex XDR Alerts Handling’.
It depends on the data from the parent playbooks and cannot be used as a standalone version. (Available from Cortex XSOAR 6.9.0).

Related pull requests:
- 29092

Download

6.0.6 - 7076512 (December 5, 2023)

Playbooks

Cortex XDR - Get entity alerts by MITRE tactics

Rewrote the playbook to create only 1 search request instead of a request for each tactic. The performance of the playbook has been significantly improved.

Related pull requests:
- 31232

Download

6.0.5 - 7066068 (December 4, 2023)

Playbooks

Cortex XDR - Port Scan - Adjusted

Fixed an issue with empty value for "InternalIPRanges" playbook input causing playbook to fail.

Related pull requests:
- 31154

Download

6.0.4 - 7029664 (November 30, 2023)

Playbooks

New: Cortex XDR - Quarantine File v2

New: This playbook accepts file path, file hash and endpoint id in order to quarantine a selected file and wait until the action is done.

Cortex XDR - Retrieve File Playbook

Deprecated. Use Cortex XDR - Retrieve File Playbook v2 instead.

New: Cortex XDR - Retrieve File v2

New: This playbook retrieves files from selected endpoints. You can retrieve up to 20 files, from 10 endpoints.
Inputs for this playbook are:
A comma-separated list of endpoint IDs.
A comma-separated list of file paths for your operating system, either Windows, Linux, or Mac. At least one file path is required.

Cortex XDR - quarantine file

Deprecated. Use Cortex XDR - quarantine file v2 instead.

Related pull requests:
- 31082

Download

6.0.3 - R7001088 (November 27, 2023)

Integrations

Cortex XDR - IOC

Improved the fetch implementation to ensure that expired and deleted IOCs are deleted after not more than 24 hours.
Updated the Docker image to: demisto/python3:3.10.13.80593.

Related pull requests:
- 30163

Download

6.0.2 - 6932727 (November 19, 2023)

Playbooks

New: Cortex XDR - Search and Compare Process Executions - XDR Alerts

New: This playbook is a generic playbook that receives a process name and command-line argument. It uses the "Cortex XDR IR" integration to search for the given process executions inside XDR alerts and compares the command-line argument from the results to the command-line argument received from the playbook input.
Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
value: process name
commands: command-line arguments. (Available from Cortex XSOAR 6.9.0).

New: Cortex XDR - Search and Compare Process Executions - XQL Engine

New: This playbook is a generic playbook that receives a process name and a command-line argument. It uses the "Cortex XDR - XQL Engine" integration to search for the given process executions and compare the command-line argument from the results to the command-line argument received from the playbook input.
Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
value: process name
commands: command-line arguments (Available from Cortex XSOAR 6.9.0).

New: Cortex XDR - Search And Block Software - XQL Engine

New: This playbook will search a file or process activity of a software by a given image file name using Cortex XDR XQL Engine. The analyst can then choose the files to block. (Available from Cortex XSOAR 6.9.0).

Related pull requests:
- 28853

Download

6.0.1 - 6899385 (November 15, 2023)

Playbooks

Cortex XDR Lite - Incident Handling

Updated the playbook description.

Related pull requests:
- 30848

Download

6.0.0 - 6887992 (November 14, 2023)

Important Note: The following playbook: Cortex XDR - Cloud IAM User Access Investigation moved to the 'Cloud Incident Response' pack. The 'Cloud Incident Response' pack will be installed as a dependency of the 'Cortex XDR' pack.

Related pull requests:
- 28650

Download

5.2.6 - 6883610 (November 14, 2023)

Incident Types

Cortex XDR - Lite
- Added the Cortex XSOAR as the only marketplace where this content item can be used.
Cortex XDR - XCLOUD Cryptomining
- Added the Cortex XSOAR as the only marketplace where this content item can be used.
Cortex XDR Device Control Violations
- Added the Cortex XSOAR as the only marketplace where this content item can be used.
Cortex XDR Incident
- Added the Cortex XSOAR as the only marketplace where this content item can be used.

Integrations

Cortex XDR - IOC

Updated the Docker image to: demisto/python3:3.10.13.80014.

Cortex XDR - XQL Query Engine

Updated the Docker image to: demisto/python3:3.10.13.80014.

Palo Alto Networks Cortex XDR - Investigation and Response

Added the public_ip_list argument for the xdr-get-endpoints command.
Updated the Docker image to: demisto/python3:3.10.13.80014.

Playbooks

Cortex XDR - First SSO Access

Added the Cortex XSOAR as the only marketplace where this content item can be used.

Cortex XDR - Port Scan - Adjusted

Added the Cortex XSOAR as the only marketplace where this content item can be used.

Cortex XDR - Possible External RDP Brute-Force

Added the Cortex XSOAR as the only marketplace where this content item can be used.

Cortex XDR - PrintNightmare Detection and Response

Added the Cortex XSOAR as the only marketplace where this content item can be used.

Cortex XDR Alerts Handling

Added the Cortex XSOAR as the only marketplace where this content item can be used.

Cortex XDR Lite - Incident Handling

Added the Cortex XSOAR as the only marketplace where this content item can be used.

Cortex XDR Malware - Incident Enrichment

Added the Cortex XSOAR as the only marketplace where this content item can be used.

Cortex XDR Malware - Investigation And Response

Added the Cortex XSOAR as the only marketplace where this content item can be used.

Cortex XDR device control violations

Added the Cortex XSOAR as the only marketplace where this content item can be used.

Cortex XDR incident handling v3

Added the Cortex XSOAR as the only marketplace where this content item can be used.

Scripts

CortexXDRAdditionalAlertInformationWidget

Updated the Docker image to: demisto/python3:3.10.13.80014.

CortexXDRCloudProviderWidget

Updated the Docker image to: demisto/python3:3.10.13.80014.

CortexXDRIdentityInformationWidget

Updated the Docker image to: demisto/python3:3.10.13.80014.

CortexXDRInvestigationVerdict

Updated the Docker image to: demisto/python3:3.10.13.80014.

CortexXDRRemediationActionsWidget

Updated the Docker image to: demisto/python3:3.10.13.80014.

DBotGroupXDRIncidents

Updated the Docker image to: demisto/python3:3.10.13.80014.

EntryWidgetNumberHostsXDR

Updated the Docker image to: demisto/python3:3.10.13.80014.

EntryWidgetNumberRegionsXCLOUD

Updated the Docker image to: demisto/python3:3.10.13.80014.

EntryWidgetNumberResourcesXCLOUD

Updated the Docker image to: demisto/python3:3.10.13.80014.

EntryWidgetNumberUsersXDR

Updated the Docker image to: demisto/python3:3.10.13.80014.

EntryWidgetPieAlertsXDR

Updated the Docker image to: demisto/python3:3.10.13.80014.

XCloudRegionsPieWidget

Updated the Docker image to: demisto/python3:3.10.13.80014.

XCloudResourcesPieWidget

Updated the Docker image to: demisto/python3:3.10.13.80014.

XDRConnectedEndpoints

Updated the Docker image to: demisto/python3:3.10.13.80014.

XDRDisconnectedEndpoints

Updated the Docker image to: demisto/python3:3.10.13.80014.

Related pull requests:
- 30662
- 30308

Download

5.2.5 - 6804257 (November 5, 2023)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Updated the Docker image to: demisto/python3:3.10.13.78960.
Added the Process.is_malicious key to xdr-get-incident-extra-data command.

Related pull requests:
- 30519

Download

5.2.4 - 6780549 (November 2, 2023)

Incident Types

Cortex XDR - Lite
New: Cortex XDR - Lite

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Updated the default value for the classifier and incident type to Cortex XDR - Lite.
Updated the Docker image to: demisto/python3:3.10.13.78960.

Layouts

New: Cortex XDR - Lite
New: Cortex XDR - Lite (Available from Cortex XSOAR 6.9.0).

Mappers

XDR - Incoming Mapper

Added support for the Cortex XDR - Lite incident type.

Playbooks

New: Cortex XDR Lite - Incident Handling

Cortex XDR Lite - Incident Handling

The Cortex XDR Lite - Incident Handling playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident and executes the following:
Analysis:

Enriches all the indicators in the incidents.
Investigation:
Checks for related XDR alerts to the user and the endpoint by Mitre tactics.
Checks for specific arguments for malicious usage from the command line.
Verdict:
Determines the appropriate verdict based on the analysis and the investigation findings.
Verdict Handling:
Handles malicious incidents by initiating appropriate response actions.

Scripts

New: CortexXDRInvestigationVerdict

New: This widget displays the incident verdict based on the Verdict field. This widget is utilized by the Cortex XDR - Lite layout.

Related pull requests:
- 30497

Download

5.2.3 - 6735458 (October 29, 2023)

Playbooks

Cortex XDR Alerts Handling

Added a new alert handling playbook 'Cortex XDR - Cloud Data Exfiltration Response'.

Related pull requests:
- 30384

Download

5.2.2 - 6674581 (October 22, 2023)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Added the Remove legacy incident fields integration parameter. You will need to enable this parameter in your instance settings to remove redundant fields under file_artifacts, network_artifacts, and alerts.
Updated the Docker image to: demisto/python3:3.10.13.77674.

Related pull requests:
- 30146

Download

5.2.1 - 6617721 (October 16, 2023)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Added the filter_alert_fields argument to xdr-get-cloud-original-alerts (default is True, for backwards compatibility). This argument allows filtering out fields from alerts to reduce data size for investigation and response context.
Updated the Docker image to: demisto/python3:3.10.13.75921.

Related pull requests:
- 30064

Download

5.2.0 - 6608983 (October 15, 2023)

Incident Fields

New: XDR Risky User Count
New: XDR Risky Hosts
New: XDR Risky Host Count
New: XDR Risky Users

Layouts

Cortex XDR Incident
Reorganized the Basic Information section.
Added information to show how many users and hosts in the incident are considered risky by the new Cortex XDR ITDR module.
Added a "Risky Assets" tab when a risky user or host is involved in the incident. The tab displays a table of all the risky users and hosts involved. Information displayed includes the asset ID, the associated risk level, and the factors contributing to the associated risk.

Playbooks

Cortex XDR incident handling v3

Added a new sub-playbook to display information about risky assets when such data is retrieved from the entity enrichment playbook.

New: Cortex XDR - Display Risky Assets

New: This playbooks displays risky users and risky hosts, as detected by Cortex XDR's ITDR module. The data is displayed in incident fields in Cortex XDR incidents. (Available from Cortex XSOAR 6.5.0).

New: Calculate Severity - Cortex XDR Risky Assets

New: Calculates a severity for the incident based on the involvement of risky users or risky hosts in the incident, as determined by the Cortex XDR ITDR module. (Available from Cortex XSOAR 6.5.0).

Cortex XDR - Possible External RDP Brute-Force - Set Verdict

Updated the playbook to take into account the involvement of risky assets when setting a verdict for the alert.

Cortex XDR - Possible External RDP Brute-Force

Added new Cortex XDR ITDR capabilities. The playbook now enriches the endpoint and account involved in the alert with identity risk information from Cortex XDR. The new information enhances the decision making of the playbook and improves detection accuracy.
Added new possible inputs for the "Critical Element" input. This lets the user decide whether the presence of a risky user or host should change the verdict of the alert to "malicious".

Cortex XDR - First SSO Access

Added new Cortex XDR ITDR capabilities. The alert is now enriched with alert identity risk information from Cortex XDR. The new information enhances the decision making of the playbook and improves detection accuracy.

Cortex XDR - First SSO Access - Set Verdict

Updated the playbook to take into account the involvement of risky assets when setting a verdict for the alert.

Related pull requests:
- 30076

Download

5.1.9 - R6592021 (October 13, 2023)

Integrations

Cortex XDR - IOC

A warning to notify the user about IOCs that were not pushed to XDR was added to the xdr-ioc-push command.
Updated the Docker image to: demisto/python3:3.10.13.75921.

Related pull requests:
- 30039

Download

5.1.8 - R6544910 (October 8, 2023)

Layouts

Cortex XDR Incident
Fixes the 'Technical Details' and 'Investigation' tabs filter.

Related pull requests:
- 29955

Download

5.1.7 - 6363299 (September 19, 2023)

Incident Fields

Added the resolved_auto status to the select values list of the following fields:

XDR Status v2

Related pull requests:
- 29669

Download

5.1.6 - 6313394 (September 13, 2023)

Playbooks

Cortex XDR Malware - Incident Enrichment

Added tasks to extract usernames from domain usernames in order to allow enrichment with both integrations that accept domain usernames and integrations that accept only usernames for enrichment.

Related pull requests:
- 29585

Download

5.1.5 - 6299513 (September 12, 2023)

Layouts

Cortex XDR Incident
Fixed an issue with the display filter on the investigation tab.

Related pull requests:
- 29578

Download

5.1.4 - 6259960 (September 7, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 29403

Download

5.1.3 - 6253250 (September 6, 2023)

Mappers

XDR - Incoming Mapper

Fixed an issue with duplicated data in the incident context schema by removing unused XDR fields from the Malware Investigation And Response incident type.
A list of removed fields from the Malware Investigation And Response incident type mapping:

XDR Alert Category
XDR Alert Count
XDR Alert Name
XDR Alerts
XDR Assigned User Email
XDR Assigned User Pretty Name
XDR Description
XDR Detection Time
XDR File Artifacts
XDR File Name
XDR File SHA256
XDR High Severity Alert Count
XDR Host Count
XDR Incident ID
XDR Low Severity Alert Count
XDR MITRE Tactics
XDR MITRE Techniques
XDR Medium Severity Alert Count
XDR Modification Time
XDR Network Artifacts
XDR Notes
XDR Resolve Comment
XDR Status
XDR Status v2
XDR URL
XDR User Count
XDR Users

Related pull requests:
- 29414

Download

5.1.2 - 6180521 (August 29, 2023)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Fixed an issue where xdr-list-risky-hosts returned wrong outputs in case no hosts were found.

Related pull requests:
- 29178

Download

5.1.1 - 6143763 (August 24, 2023)

Playbooks

Cortex XDR - Port Scan - Adjusted

Added the 'Block Indicators - Generic v3' sub-playbook, which blocks malicious detected indicators as part of the containment and remediation process.
Added the 'Cortex XDR - Isolate Endpoint' playbook, which addresses the isolation of an internal endpoint as part of the remediation process.
Added the following sub-playbooks to the analysis stage:
- 'File Enrichment - Generic v2'.
- 'Account Enrichment - Generic v2.1'.
- 'IP Enrichment - Generic v2'.
Added the following sub-playbooks to the investigation stage:
- 'Cortex XDR - Endpoint Investigation'.
- 'TIM - Indicator Relationships Analysis'.
- 'User Investigation - Generic'.
- 'Command-Line Analysis'.
- 'Threat Hunting - Generic'.

Cortex XDR Malware - Incident Enrichment

Fixed an issue where the xdr-list-risky-users and xdr-list-risky-hosts commands would fail when the XDR Identity Threat Module was disabled or the license was missing.

Related pull requests:
- 28932

Download

5.0.10 - 6129053 (August 23, 2023)

Playbooks

Cortex XDR Malware - Incident Enrichment

Fixed an issue where usernames tied to specific domains were not enriched as expected.

Related pull requests:
- 29024

Download

5.0.9 - 6106826 (August 21, 2023)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Fixed an issue where the xdr-list-risky-users and the xdr-list-risky-hosts commands failed when users or hosts with escape characters were provided.

Related pull requests:
- 29076

Download

5.0.8 - 6076227 (August 17, 2023)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Fixed an issue where the xdr-list-risky-users and the xdr-list-risky-hosts commands failed when the user or host could not be found.

Related pull requests:
- 29019

Download

5.0.7 - 6037382 (August 13, 2023)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Fixed an issue where in some cases the fetch incidents and get_incident_extra_data commands returned 401 status code.
Updated the Docker image to: demisto/python3:3.10.12.68714.

Related pull requests:
- 28747

Download

5.0.6 - 5972692 (August 6, 2023)

Classifiers

Cortex XDR Incident Handler - Classifier

Fixed an issue where incoming incidents classified as "Malware" instead of "XDR incident" incident type.

Related pull requests:
- 28796

Download

5.0.5 - 5918814 (July 31, 2023)

Scripts

CortexXDRIdentityInformationWidget

Added a validation to check whether there is one element in the AWS IAM users key.

Related pull requests:
- 28558

Download

5.0.4 - R5866730 (July 25, 2023)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Fixed an issue where the integration failed when searching for a value that doesn't exist, when running one of the following commands:
- xdr-list-risky-users
- xdr-list-risky-hosts
- xdr-list-user-groups
- xdr-list-roles

Related pull requests:
- 28194

Download

5.0.3 - 5801668 (July 18, 2023)

Scripts

DBotGroupXDRIncidents

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 28221

Download

5.0.2 - 5786478 (July 17, 2023)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Added support for multiple endpoint statuses when calling xdr-get-endpoints.

Related pull requests:
- 28183
- 28131

Download

5.0.1 - 5780572 (July 16, 2023)

Scripts

XCloudRegionsPieWidget

Updated the Docker image to: demisto/python3:3.10.12.63474.

EntryWidgetNumberResourcesXCLOUD

Updated the Docker image to: demisto/python3:3.10.12.63474.

XCloudResourcesPieWidget

Updated the Docker image to: demisto/python3:3.10.12.63474.

EntryWidgetNumberUsersXDR

Updated the Docker image to: demisto/python3:3.10.12.63474.

XDRDisconnectedEndpoints

Updated the Docker image to: demisto/python3:3.10.12.63474.

CortexXDRIdentityInformationWidget

Updated the Docker image to: demisto/python3:3.10.12.63474.

EntryWidgetPieAlertsXDR

Updated the Docker image to: demisto/python3:3.10.12.63474.

CortexXDRRemediationActionsWidget

Updated the Docker image to: demisto/python3:3.10.12.63474.

CortexXDRAdditionalAlertInformationWidget

Updated the Docker image to: demisto/python3:3.10.12.63474.

EntryWidgetNumberHostsXDR

Updated the Docker image to: demisto/python3:3.10.12.63474.

XDRConnectedEndpoints

Updated the Docker image to: demisto/python3:3.10.12.63474.

CortexXDRCloudProviderWidget

Updated the Docker image to: demisto/python3:3.10.12.63474.

EntryWidgetNumberRegionsXCLOUD

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 28182

Download

5.0.0 - 5760561 (July 13, 2023)

Playbooks

Cortex XDR Alerts Handling

Added a flow for the new Cloud Token Theft playbook.

Related pull requests:
- 28058

Download

4.11.8 - 5698017 (July 6, 2023)

Layouts

Cortex XDR Incident
Added a dedicated tab for Cloud Token Theft alerts handling.

Playbooks

Cortex XDR - XCloud Cryptojacking

Fix a typo in the Set Incident 'type' field task.

Related pull requests:
- 27808

Download

4.11.7 - R5692327 (July 5, 2023)

Integrations

Cortex XDR - IOC

Updated the Docker image to: demisto/python3:3.10.12.63474.

Palo Alto Networks Cortex XDR - Investigation and Response

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27877

Download

4.11.6 - 5593144 (June 22, 2023)

Integrations

Cortex XDR - XQL Query Engine

Fixed an issue in the xdr-xql-generic-query command where the tenant_id argument wasn't used.
Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27661

Download

4.11.5 - 5535815 (June 15, 2023)

Playbooks

Cortex XDR Malware - Incident Enrichment

Updated the Data Collection task to be mandatory for the user.

Related pull requests:
- 27277

Download

4.11.4 - R5527167 (June 14, 2023)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Fixed an issue in the xdr-script-run command where the polling timeout parameter was not handled correctly.

Related pull requests:
- 27238

Download

4.11.3 - R5450895 (June 5, 2023)

Layouts

Cortex XDR Incident
The incident field "User Disabled Status" replaced with "User Block Status"

Playbooks

Cortex XDR - Possible External RDP Brute-Force

Remediation task is now using "Block Indicators - Generic V3" playbook
Ip Reputation will be displayed in layout as Benign/Suspicious/Malicious instead of 1/2/3
Incident Severity will be changed based on the investigation results
Early containment can be disabled changing the playbook input "EarlyContainment" to "false". Default value is "true"

Related pull requests:
- 26661

Download

4.11.2 - 5413782 (May 31, 2023)

Playbooks

Cortex XDR Incident Sync

Deprecated. No available replacement.

Related pull requests:
- 26983

Download

4.11.1 - 5404881 (May 30, 2023)

Playbooks

Cortex XDR - Execute commands

Deprecated. Use the xdr-script-commands-execute command instead.

Cortex XDR - Execute snippet code script

Deprecated. Use the xdr-snippet-code-script-execute command instead.

Cortex XDR - check file existence

Deprecated. Use the xdr-file-exist-script-execute command instead.

Cortex XDR - delete file

Deprecated. Use the xdr-file-delete-script-execute command instead.

Cortex XDR - kill process

Deprecated. Use the xdr-kill-process-script-execute command instead.

Cortex XDR - True Positive Incident Handling

Replaced Cortex XDR - delete file (Deprecated) sub-playbook with the xdr-file-exist-script-execute command.

Related pull requests:
- 26406

Download

4.11.0 - 5358193 (May 24, 2023)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Updated the Docker image to: demisto/python3:3.10.11.61265.
Added the following commands:
- xdr-list-users
- xdr-list-user-groups
- xdr-list-risky-users
- xdr-list-risky-hosts
- xdr-list-roles
- xdr-set-user-role
- xdr-remove-user-role

Related pull requests:
- 26211

Download

4.10.45 - 5356324 (May 24, 2023)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Fixed an issue where the instructions for getting the URL of the XDR instance were inaccurate.

Playbooks

Cortex XDR - Endpoint Investigation

Internal code improvements.

Related pull requests:
- 26944

Download

4.10.43 - 5318720 (May 21, 2023)

Classifiers

Cortex XDR Incident Handler - Classifier

Updated the classifier to classify Port Scan alert as XDR Incident.
Fixed an issue with the classifier condition failing when file_artifacts is empty and not null.

Playbooks

Cortex XDR - Port Scan

Deprecated. Use the Cortex XDR - Port Scan - Adjusted playbook instead.
Deprecated. Use the Cortex XDR - Port Scan - Adjusted playbook instead.

Cortex XDR Alerts Handling

Updated the Choose playbook by category conditional task to ignore case sensitive.

Related pull requests:
- 26281

Download

4.10.42 - 5289877 (May 17, 2023)

Playbooks

Cortex XDR Malware - Incident Enrichment

Internal code improvements.

Related pull requests:
- 25853

Download

4.10.41 - 5268538 (May 15, 2023)

Playbooks

Cortex XDR - First SSO Access

Updated containment stage by using okta-clear-user-sessions instead ad-expire-password.

Related pull requests:
- 26470

Download

4.10.40 - 5224782 (May 9, 2023)

Playbooks

Cortex XDR - Retrieve File by sha256

Internal code improvements.

Related pull requests:
- 26370

Download

4.10.39 - 5218044 (May 8, 2023)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Added support for core-get-script-execution-result-files command to work with XSIAM.

Related pull requests:
- 26393

Download

4.10.38 - 5210128 (May 7, 2023)

Playbooks

Cortex XDR Malware - Incident Enrichment

Added a conditional task to prevent the 'endpoint' command from running for all endpoints by checking if an endpoint ID exists before proceeding.
Added a task to allow analysts to provide endpoint IDs for enrichment if endpoint IDs are missing from incidents.

Related pull requests:
- 26272

Download

4.10.37 - 5185403 (May 4, 2023)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Fixed an issue when running xdr-retrieve-files command with generic_field_path argument and macos endpoint was failing.

Related pull requests:
- 26282

Download

4.10.36 - R5170573 (May 2, 2023)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Fixed an issue where the endpoint command did not fail when no argument was provided.

Related pull requests:
- 26160

Download

4.10.35 - 5136717 (April 27, 2023)

Playbooks

Cortex XDR - Retrieve File by sha256

Updated the 'Print Error - No path was found' task to use 'PrintErrorEntry' automation rather than 'Print' automation.
Updated the playbook description.

Related pull requests:
- 26073

Download

4.10.34 - 5104594 (April 23, 2023)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Updated instructions for getting the URL.

Related pull requests:
- 26027

Download

4.10.33 - 5077739 (April 19, 2023)

Integrations

Cortex XDR - IOC

Updated the Docker image to: demisto/python3:3.10.11.54132.

Cortex XDR - XQL Query Engine

Updated the Docker image to: demisto/python3:3.10.11.54132.

Related pull requests:
- 25970

Download

4.10.32 - 5069026 (April 18, 2023)

Playbooks

Cortex XDR - True Positive Incident Handling

Fixed an issue with the 'URL_or_Domain' playbook input configuration that prevented the 'URL' context key from being used.

Related pull requests:
- 25950

Download

4.10.31 - 5057113 (April 17, 2023)

Integrations

Palo Alto Networks Cortex XDR - Investigation and Response

Added support for multiple endpoint statuses for the command xdr-get-endpoints-by-status.

Related pull requests:
- 25792
- 25861

Download

PUBLISHER

Cortex

PLATFORMS

Cortex XSOAR

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 26, 2020
Last Release	April 14, 2024

Malware

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.