The following packs include breaking changes.
- ARIAPacketIntelligence Pack v2.0.0
- PhishTank Pack v2.0.2
- Polygon Pack v1.0.2
- Pulsedive Pack v1.0.1
- RiskIQ Digital Footprint Pack v1.0.4
- Synapse Pack v1.0.1
- Tripwire Pack v1.0.1
- TruSTAR Pack v2.1.1
- XM Cyber Pack v1.0.2
- XSOAR Mirroring Pack v2.0.0
This playbook does the following:
-
Collects indicators to aid in your threat hunting process.
- Retrieves IOCs of SUNBURST (a trojanized version of the SolarWinds Orion plugin).
- Retrieves C2 domains and URLs associated with Sunburst.
- Discovers IOCs of associated activity related to the infection.
- Generates an indicator list to block indicators with SUNBURST tags.
-
Hunts for the SUNBURST backdoor.
- Queries firewall logs to detect network activity.
- Searches endpoint logs for Sunburst hashes to detect presence on hosts.
-
If compromised hosts are found the playbook:
- Notifies the security team to review and trigger remediation response actions.
- Fires off sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team.
Note: This is a beta pack, which lets you implement and test pre-released software. Since the pack is a beta version, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve the pack.
AWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for Amazon Virtual Private Cloud (Amazon VPC). With AWS Network Firewall, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect. Network Firewall uses rules that are compatible with Suricata, a free, open source intrusion detection system (IDS) engine.
Leverage the Centrify Vault integration to create and manage secrets.
Add and remove domains in Cisco OpenDNS.
Use the CloudConvert integration to convert your files to the desired format.
Use this playbook to convert a file to the required format using CloudConvert.
Cryptocurrency Address Type
Cryptocurrency Address
Cryptocurrency will help classify Cryptocurrency indicators as suspicious when ingested.
Cryptocurrency Address - Indicator Details
Verifies that a crypto address is valid and only returns the address if it is valid.
Classifies all incidents fetched by the Darktrace integration as Darktrace Model Breach type incidents for the purpose of using the integration playbooks.
Maps model breach fields to mappings for use in integration playbooks.
- Darktrace Comment Count - Number of comments in the Darktrace model breach.
- Darktrace Device Hostname - Hostname associated with the device in Darktrace.
- Darktrace Device ID - ID associated with the device in Darktrace.
- Darktrace Device IP - IP address associated with the device in Darktrace.
- Darktrace Device Label - Device label associated with the device in Darktrace.
- Darktrace Device MAC - MAC address associated with the device in Darktrace.
- Darktrace Device Vendor Vendor associated with the device in Darktrace.
- Darktrace Model Breach Description - Description of the model breach.
- Darktrace Model Breach ID - Darktrace Model Breach ID (PBID) of the model breach.
- Darktrace Model Breach Score - Darktrace model breach score.
- Darktrace Model ID - Model ID (PID) associated with the model breach in Darktrace.
- Darktrace Model Name - Name associated with the model breach in Darktrace.
- Darktrace Model Priority - Priority of the model breach in Darktrace.
- Darktrace Model Tags - Tags associated with the model breach in Darktrace.
- Darktrace Model UUID - Model UUID associated with the model breach in Darktrace.
Darktrace Model Breach
Rapid detection of malicious behavior can make all the difference in the response to a security event. This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate and manage security events before they have time to escalate.
Handles each fetched Darktrace model breach by gathering additional detail about the activity and device, providing enrichment data from Darktrace and XSOAR, linking similar incidents, and providing the ability to acknowledge the model breach and close the incident.
Returns integration instances configured in Cortex XSOAR. You can filter by instance status and/or brand name (vendor).
Fetches IP addresses from the Public DNS feed.
Classifies Sophos Central incidents.
Maps incoming alerts from Sophos Central.
Sophos Central Incident
The unified console for managing Sophos products.
Classifies Tripwire incidents.
Maps incoming Tripwire incident fields.
Tripwire File Change
Tripwire is a file integrity management (FIM) system. FIM monitors files and folders on systems and is triggered when they have changed.
Tripwire File Change - Summary
Enriches the IP of a node.
Uses the Python pywinrm library and commands to execute either a process or Powershell scripts.
- Certificate Names
- Certificate Signature
- Certificate Validation Checks
- Extension
- Issuer DN
- PEM
- Public Key
- SPKI SHA256
- Serial Number
- Subject Alternative Names
- Subject DN
- Validity Not After
- Validity Not Before
Certificate
- Certificate Indicator
Extracts fields from a certificate file and returns the standard context.
Enriches and calculates the reputation of a certificate indicator.
- Breaking Change:
- Updated the integration to match the latest Packet Intelligence REST API.
- Removed the following arguments.
- label_sia_region
- label_sia_group
- label_sia_name
- Uses Remediation Configuration String (RCS) in the command to select SIA.
Maintenance and stability enhancements.
- Rebranded Anomali Enterprise to Anomali Match.
- Added the DGA tag to the domain command.
- Updated the Docker image to: demisto/python3:3.8.6.13358.
Updated playbook descriptions.
Fixed an issue where only MD5 hash data was returned for all hash types in the file and threatstream-get-indicators commands.
- Switch ID - Asset
- IP Address - Asset
- MAC Address - Asset
- Asset Table
- Location - Asset
- Switch Port ID - Asset
- ID - Asset
- Description - Asset
- Fixed an issue where some indicators were fetched twice.
- Added AzureDevOps to the list of supported services.
- Added the classification and the classification_reason arguments to the azure-sentinel-update-incident command.
- Updated the Docker image to: demisto/crypto:1.0.0.14297.
- Fixed an issue where an empty Authorization header would be sent if the credentials parameter had an empty string in it.
- Updated the C2 IP feed and C2 Domain feed links.
- Updated the Docker image to: demisto/python3:3.8.6.14516.
- Updated the ip command with new code conventions.
- Fixed the outputs of the ip command.
- Updated the Docker image to: demisto/python3:3.8.6.13358.
- Updated BaseClient._http_request to include an optional argument for an empty codes list.
- Added CRYPTOCURRENCY to DBotScoreType.
- Added the Cryptocurrency indicator context to Common.
- Added the tags field to the Domain indicator class.
- Added support for clickable URL fields using the url argument in the tableToMarkdown method.
- Fixed an issue with the aws_table_to_markdown function, which failed on an empty list.
- Improved the log formatter to remove sensitive URL query parameters.
- Fixed the setIntegrationContext method in the $Demisto class.
- Added a new helper function, ConvertTo-Boolean, which converts a string to boolean.
Maps incoming Box incident fields.
- Box Source Parent Name
- Box Source Parent ID
- Box Source Owner Name
- Box Source Owner ID
- Box Source Created By Name
- Box Source Created By ID
Deprecated. Use the Box v2 integration instead.
- Manage Box users.
- Updated the Docker image to: demisto/pyjwt3:1.0.0.8871.
Box Incident
- Account Groups
- Successful Login
- Password Expiration Status
- Login Attempt Count
- User Disabled Status
Fixed an issue where an empty Authorization header would be sent when the credentials parameter had an empty string in it.
- Updated the checkpoint-login-and-get-session-id command to add an optional domain parameter allowing MDS logins.
- Updated the Docker image to: demisto/python3:3.8.6.14516.
- Fixed an issue where the ciscofp-deploy-to-devices command did not work in some versions of Cisco Firepower.
- Updated the Docker image to: demisto/python3:3.8.6.13358.
- Claroty Alert Type
- Claroty Related Assets
- Claroty Category
- Claroty Alert Resolved
- Claroty Network ID
- Claroty Resource ID
- Claroty Site ID
- Code42 Alert Type
- Code42 Severity
- Code42 SecurityAlert Timestamp
- Code42 Username
- Exfiltrated Files
- Code42 SecurityAlert Description
- Code42 File Events
- Code42 SecurityAlert ID
- Code42 SecurityAlert Name
- Code42 SecurityAlert State
Deprecated. Use the Dedup Generic v3 playbook instead.
The new version of the Dedup playbook that includes the PhishingDedupPreprocessingRule new machine learning script, which identifies duplicate Phishing incidents.
Converts a date from a different timezone to UTC timezone.
Added support for non-English characters in the ids argument.
- Added the add_utc_timezone argument to indicate whether to add a UTC timezone in case an offset-naive date was provided as an input.
- Updated the Docker image to: demisto/python3:3.8.6.13358.
Added the missing DomainDNSDetails.CNAME script output. This output is the Domain CNAME records.
Fixed an issue where the script failed when there were no files to repopulate.
Fixed an issue where using the keysToKeep argument on a context key that contained an array with duplicate values would also perform deduplication on the array.
- Application Id
- Application Name
- IncomingMirrorError
- OutgoingMirrorError
- Dst Ports
- Log Source Type
- Assignment Group
- Pre Nat Destination Port
- Log Source Name
- CVSS Confidentiality Requirement
- Detected Users
- High Level Categories
- Escalation
- Traffic Direction
- Ticket Opened Date
- Source IPV6
- Low Level Categories Events
- DNS Name
- Close Time
- Ticket Number
- Source IPs
- Technical User
- Compliance Notes
- Source Geolocation
- Pre Nat Source Port
- Destination MAC Address
- Destination Hostname
- Number Of Log Sources
- Detected Internal Hosts
- Pre Nat Source IP
- Protocols
- Category Count
- Raw Event
- Technical Owner
- Device Time
- Event Descriptions
- Detected External Hosts
- Source Hostname
- Technical Owner Contact
- Last Update Time
- Post Nat Source IP
- CVSS Availability Requirement
- Follow Up
- List Of Rules - Event
- Detected Internal IPs
- Closing User
- Destination IPs
- Detected External IPs
- Unique Ports
- Caller
- Source MAC Address
- Usernames
- sAMAccountName
- Post Nat Destination Port
- Post Nat Source Port
- Dest Hostname
- Mobile Device Model
- CVSS Collateral Damage Potential
- Closing Reason
- Event Names
- Start Time
- Events
- Src Hostname
- Destination Geolocation
- Src Ports
- userAccountControl
- Protocol - Event
- Post Nat Destination IP
- Destination IPV6
- CVSS Integrity Requirement
- Ticket Closed Date
- Dest OS
- Device Id
- Policy Description
- SHA512
- SHA1
- Policy ID
Malware types
Fixed Tags field having empty options.
- Registrant Country
- Internal
- STIX ID
- CVSS
- Admin Phone
- DNS
- Office365Required
- Admin Country
- STIX Description
- Display Name
- Geo Country
- Username
- SHA512
- Description
- Actor
- Category
- Office365Category
- STIX Primary Motivation.
- Source Original Severity
- STIX Resource Level
- Email Address
- STIX Roles
- Updated Date
- Operating System
- Associations
- STIX Is Malware Family
- Subdomains
- Signature Copyright
- STIX Goals
- First Seen By Source
- Path
- Malware Family
- Entry ID
- CVE Modified
- STIX Malware Types
- Expiration Date
- Registrant Name
- STIX Kill Chain Phases
- Last Seen By Source
- MAC Address
- Signed
- Domain Referring IPs
- Registrar Abuse Email
- Organizational Unit (OU)
- Device Model
- Reported By
- File Extension
- Account Type
- ASN
- BIOS Version
- Indicator Identification
- Service
- Admin Email
- Name Field
- Registrant Email
- DHCP Server
- Region
- Groups
- Hostname
- Threat Types
- Name Servers
- Domain Status
- Traffic Light Protocol
- CVE Description
- Memory
- Office365ExpressRoute
- Organization
- STIX Secondary Motivations
- Signature Authentihash
- imphash
- IP Address
- STIX Tool Version
- STIX Threat Actor Types
- File Type
- Registrant Phone
- STIX Aliases
- Name
- MD5
- Detection Engines
- OS Version
- Admin Name
- Campaign
- Operating System Version
- Processors
- SHA1
- Domain Referring Subnets
- Size
- Signature File Version
- Signature Internal Name
- Associated File Names
- Domain Name
- SSDeep
- Positive Detections
- Geo Location
- Creation Date
- Feed Related Indicators
- Registrar Name
- Domain IDN Name
- STIX Tool Types
- STIX Sophistication
- Registrar Abuse Phone
- Port
- SHA256
- Processor
- Published
unifiedFileRep - Fixed an issue where the associated layout was not File Indicator.
Added the concentricai-get-file-sharing-details command, which adds file sharing details in the playbook.
The playbook now enables one to fetch all file details, file sharing permissions along with user details of the owner.
- Added support for a caching mechanism for repetitive errors when requesting access token from CDL server.
- Added the cdl-reset-authentication-timeout command to reset the failure counters of the caching mechanism.
- Updated the Docker image to: demisto/python_pancloud_v2:1.0.0.14327.
- Job Title
- Employee Response Status
- Employee Health Status
- First Name
- CrowdStrike Falcon Incident
- CrowdStrike Falcon Detection
Fixed an issue where an IOC, which does not exist, caused an error in the cs-device-ran-on and the cs-falcon-device-count-ioc commands.
- Cymulate Immediate Threats Payload Name
- Cymulate Immediate Threats Attack ID
- Cymulate Immediate Threats Module
- Cymulate Immediate Threats Mitigations
- Cymulate Immediate Threats Vector
- Cymulate Immediate Threats Status
- Cymulate Immediate Threats ID
- Cymulate Immediate Threats File Type
This integration allows you to manage and interact with the Microsoft security and compliance content search.
This playbook performs the following steps:
- Creates the new purge compliance search action.
- Waits for the compliance search action to complete.
- Retrieves the delete search action.
This playbook performs the following steps:
- Creates a compliance search.
- Starts a compliance search.
- Waits for the compliance search to complete.
- Gets the results of the compliance search.
- Gets the preview results, if specified.
- Deletes the search results (Hard/Soft purge).
This playbook performs the following steps:
- Creates the new Preview compliance search action (based on the created compliance search).
- Waits until the preview action completes.
- Retrieves the preview results.
This playbook performs the following steps:
- Creates a compliance search.
- Starts a compliance search.
- Wait for the compliance search to complete.
- Gets the results of the compliance search as an output.
- Gets the preview results, if specified.
Offboarding Date - Updated the entity to conform to the new schema standards.
- Expanse Exposure Type
- Expanse Severity
- ExpanseRawJSONEvent
- Expanse Business Unit
- Expanse Behavior Rule
- Fixed an issue where processing an indicator without a value raised an exception.
- Updated the Docker image to: demisto/teams:1.0.0.14318.
Added support for Domain indicators context extraction.
Maintenance and stability enhancements.
- List of Rules - Offense
- Destination Network - Offense
- Status - Offense
- Low Level Categories - Offense
- Credibility - Offense
- Number Of Flows
- Description - Offense
- Username Count - Offense
- Source Network - Offense
- ID - Offense
- Severity - Offense
- Source IP - Offense
- Type - Offense
- Number Of Events In Offense
- Magnitude - Offense
- Domain - Offense
- Destination IP - Offense
- Relevance - Offense
- Number Of Fetched Events
- Offense Inactive
Improved the error message when testing an integration instance with the Fetch Mode integration parameter set to Fetch With All Events or Fetch Correlation Events Only and no Event fields were provided.
Qradar Generic - Added the usernames field to the layout.
- Indeni Issue ID
- Indeni Device ID
Maintenance and stability enhancements.
- Added support for account-based authentication.
- Updated the Docker image to: demisto/python3:3.8.6.13358.
Improved implementation of error handling when an unexpected content type was returned.
Fixed an integration argument bug when fetching event logs from Logz.io.
- MITRE Platforms
- MITRE Extended Aliases
- MITRE Description
- MITRE Contributors
- MITRE Aliases
- MITRE Labels
- MITRE ID
- MITRE Permissions Required
- MITRE Kill Chain Phases
- MITRE Detection
- MITRE Type
- MITRE Version
- MITRE Impact Type
- MITRE Data Sources
- MITRE External References
- MITRE Name
- MITRE Defense Bypassed
Maintenance and stability enhancements.
Microsoft CAS Alert
- Added the timeout argument to the microsoft-atp-advanced-hunting command.
- Updated the Docker image to: demisto/crypto:1.0.0.14297.
- Exactly what happened, and at what times?
- What information was needed sooner?
- Were any steps or actions taken that might have inhibited the recovery?
- How could information sharing with other organizations have been improved?
- What additional tools or resources are needed to detect, analyze, and mitigate future incidents?
- What corrective actions can prevent similar incidents in the future?
- How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate?
- What precursors or indicators should be watched for in the future to detect similar incidents?
- What would the staff and management do differently the next time a similar incident occurs?
- Graph Plot
- FAERE Description
Target Firewall Version - Updated the entity to conform to the new schema standards.
- PCAP file
- PCAP Flows
- PCAP Start Time
- PCAP Number Of Packets
- PCAP End Time
- PCAP Number Of Streams
- PCAP File Name
- PCAP File Size
- Fixed an issue where the PagerDuty-incidents command failed when non-ASCII characters were returned from the API response.
- Fixed an issue where triggering events failed due to changes done in the previous version.
Added mapping to the LastMirroredInTime field.
Added mapping to the following fields.
- XDR Alerts
- XDR File Artifacts
- XDR Network Artifacts
- XDR Modification Time
- LastMirroredInTime fields.
- XDR Modification Time
- LastMirroredInTime
- XDR manual severity
XDR Modification Time - Updated the entity to conform to the new schema standards.
Changed the name of the event_timestampt argument to event_timestamp in the xdr-insert-parsed-alert command.
-
Added 9 commands.
- xdr-delete-endpoints
- xdr-get-policy
- xdr-get-endpoint-device-control-violations
- xdr-retrieve-files
- xdr-retrieve-file-details
- xdr-get-scripts
- xdr-get-script-metadata
- xdr-get-script-code
- xdr-action-get-status
-
Added the option to return only modified incidents from the xdr-get-incident-extra-data command to improve mirroring rate limit handling.
-
Updated the Docker image to: demisto/python3:3.8.6.12176.
Added a playbook that takes an action ID and checks its action status.
Added a playbook that retrieves a file from selected endpoints and adds the file link to the War Room.
- Updated the description for the LinkSimilarIncidents playbook input to specify that it requires the Demisto REST API integration.
- Replaced the PANW - Hunting and threat detection by indicator type V2 playbook with the Palo Alto Networks - Hunting And Threat Detection playbook.
- Passed the internalRanges value to the XDR Alerts handling sub-playbook input through the XDR Incident Handling v3 playbook.
- Added the internalRanges input to the XDR Alerts handling sub-playbook.
- Updated the description for the LinkSimilarIncidents playbook input to specify that it requires the Demisto REST API integration.
- Replaced the PANW - Hunting and threat detection by indicator type V2 playbook with the Palo Alto Networks - Hunting And Threat Detection playbook.
- Passed the internalRanges value to the XDR Alerts handling sub-playbook input through the XDR Incident Handling v2 playbook.
- Added the internalRanges input to the XDR Alerts handling sub-playbook.
Updated the host_ip input for the Cortex XDR - Malware Investigation sub-playbook to accept the host IP list.
Fixed an issue where an error was raised when the playbook expected lateral movement alerts as part of port scan events.
Updated to support the xdr-get-incident-extra-data command enhancement in order to avoid rate limit errors from XDR.
Pentera Operation Details - Updated the entity to conform to the new schema standards.
Breaking Change: Updated the url command to return multiple entries (entry per indicator) instead of a single entry.
-
Breaking Change: Updated the following reputation commands to return multiple entries (entry per indicator) instead of a single entry.
- ip
- domain
- file
- url
- process
- registry
-
Updated the Docker image to: demisto/python3:3.8.6.14516.
- Added the redlock-get-RQL-response command.
- Added the ability to snooze alerts.
- Prisma Cloud Compute Project
- Prisma Cloud Compute Error
- Prisma Cloud Compute Forensic
- Prisma Cloud Compute Line
- Prisma Cloud Compute Function
- Prisma Cloud Compute Log File
- Prisma Cloud Compute Collections
- Prisma Cloud Compute Container
- Prisma Cloud Compute Category
- Prisma Cloud Compute Image
- Prisma Cloud Compute Raw Alert JSON
- Prisma Cloud Compute Markdown
- Prisma Cloud Compute Total
- Prisma Cloud Compute AppID
- Prisma Cloud Compute Host
- Prisma Cloud Compute Message
- Prisma Cloud Compute Command
- Prisma Cloud Compute Type
- Prisma Cloud Compute FQDN
- Prisma Cloud Compute Service Type
- Prisma Cloud Compute Kubernetes Resource
- Prisma Cloud Compute Activity Type
- Prisma Cloud Compute Rule
- Prisma Cloud Compute Runtime
- Prisma Cloud Compute Registry
- Prisma Cloud Compute Provider
- Prisma Cloud Compute User
- Prisma Cloud Compute Distribution
- Prisma Cloud Compute Interactive
- Prisma Cloud Compute Credential ID
- Prisma Cloud Compute Region
- Prisma Cloud Compute Protected
- Prisma Cloud Compute Service
- Prisma Cloud Compute Labels
- Fixed an issue where some alerts were not processed properly when fetching incidents.
- Updated the Docker image to: demisto/python3:3.8.6.13358.
- Improved the implementation of the error handling in the proofpoint-download-email command.
- Improved the description of the message_id argument in the proofpoint-download-email command.
- Breaking Change: Updated the following commands to return multiple entries (entry per indicator) instead of a single entry.
- ip
- url
- domain
- Added missing outputs to the url command.
- Updated the Docker image to: demisto/python3:3.8.6.13358.
- Added the SolarStorm and SUNBURST Hunting and Response playbook.
- Updated the playbook description.
- The playbook will be available from Cortex XSOAR v5.5.
Recorded Future Evidence Details - Updated the entity to conform to the new schema standards.
- Breaking Change: Updated the following commands to return multiple entries (entry per indicator) instead of a single entry.
- df-asset-connections
- df-get-asset commands
- df-asset-connections
- Updated the Docker image to the latest version.
- Suggestions and discussion of how to improve the team
- What were the areas where the CIRT teams were effective?
- How was the incident contained and eradicated?
- What was the work performed during recovery?
- What was the scope of the incident?
- When was the problem first detected and by whom?
- What are the areas that need improvement?
- SANS Stage
SafeBreach Insight - Updated the entity to conform to the new schema standards.
- Improved error message processing from the SentinelOne API.
- Updated the Docker image to: demisto/python3:3.8.6.13358.
Added the ServiceNow CMDB integration.
- Added the filtered_tags parameter to filter the messages sent from Demisto by tags. Only supported in Cortex XSOAR V6.1 and above.
- Fixed an issue where an error was raised when a non-strict JSON passed to the blocks argument in the send-notification command.
- IllusionBLACK Threat Parse
- IllusionBLACK Events
- IllusionBLACK Decoy ID
- IllusionBLACK Attacker ID
- IllusionBLACK Attack Type
- Updated the ip command with new code conventions.
- Fixed the outputs of the ip command.
- Updated the Docker image to: demisto/python3:3.8.6.13358.
Fixed an issue where providing a raw field that is wrapped in double quotes in a notable event would return with the key set as the value in the incident metadata if it did not exist.
Fixed an issue where files with special characters in their names were not handled properly in the symantec-cma-upload-file command.
- Breaking Change: Updated the following commands to return multiple entries (entry per indicator) instead of a single entry.
- ip
- url
- domain
- file
- Added missing outputs to the following commands.
- ip
- url
- domain
- file
- Updated the Docker image to: demisto/aiohttp:1.0.0.13810.
Breaking Change: Fixed an issue where the argument name in the tripwire-rules-list command was wrong.
- Breaking Change: Updated the following commands to return multiple entries (entry per indicator) instead of a single entry.
- trustar-indicator-summaries
- trustar-related-indicators
- trustar-indicator-summaries
- trustar-get-whitelisted-indicators
- trustar-trending-indicators
- trustar-get-indicators-for-report
- trustar-search-indicators
- trustar-get-phishing-indicators
- Updated the Docker image to: demisto/trustar:20.2.0.13605.
Breaking Change: Updated the following commands to return multiple entries (entry per indicator) instead of a single entry.
- ip
- xmcyber-hostname
Breaking Change: Removed the following items from the pack.
- Incident field (from Pong)
- Incident types (from Ping and Pong)
- Classifier
- Mapper
Maintenance and stability enhancements.
Added a default mapper for the integration.
Maintenance and stability enhancements.
Updated the Docker image to: demisto/python3:3.8.6.13358.
Fetches indicators from iDefense feed according to the applied filters.