Welcome to the 20.7.0 Content release for Cortex XSOAR. Starting from the 20.6.0 release, we restructured our release notes to be based upon Content Packs. One of our team's top priorities is making our Content more accessible and understandable for both users and contributors. In this effort, we recently moved our Content repo to work in Packs format were there is a clear separation and grouping of Content artifacts. Each Content Pack provides a clear grouping of related Content artifacts used to either implement a use case, implement an integration or provide a clear set of functionality. Our new release notes are structured around Content Packs and you will see related Content artifacts grouped together according to Packs. We hope you will find this new format useful and clear.
The following Integrations were deprecated in November 2019:
- Azure Compute
- Azure Security Center
These integrations will reach end of life on July 31, 2020, due to changes to the backend authentication services needed for these integrations. Use the Azure Compute v2 and Azure Security Center v2 integrations instead.
Use the CrowdStrike Falcon X integration to submit files, file hashes, URLs, and FTPs for sandbox analysis and to retrieve reports.
Detonates a file using CrowdStrike Falcon X sandbox.
Detonates one or more files using the CrowdStrike Falcon Sandbox integration. This playbook returns relevant reports to the War Room and file reputations to the context data.
This integration allows you to check if your personal information, such as your email, username, or password, has been compromised.
The Google Kubernetes Engine integration is used for building and managing container-based applications in Google Cloud Platform (GCP), powered by the open source Kubernetes technology.
This playbook checks the operation status of the Google Kubernetes Engine. It runs until the operation completes, and facilitates the waiting between steps in Cluster configuration.
Use this integration to manage Service Desk Plus requests. The integration allows you to create, update, and delete requests, assign groups and technicians to requests, and link/unlink requests and modify their resolution.
Use the Microsoft Azure AD Connect Health Feed integration to get indicators from the feed.
Use the Quest KACE integration to provision, manage, secure, and service all network-connected devices.
Unit42 feed of published IOCs, which contains known malicious indicators.
Use the Workday integration to manage workers and employees.
You can now use the new Zoom site configuration using the feed.
Ingests indicator feeds from TAXII 2.0 and 2.1 servers.
Added the Tags parameter.
- Fixed a bug in which some fetches returned duplicate alerts.
- Added the Use REST Endpoints integration parameter, which enables using REST endpoints for the as-get-entries and as-clear-entries commands.
Fixed an issue where errors were not handled as expected.
Added the Tags parameter.
- Fixed SVG image rendering in doc reports.
- Added the ability to add customer logos to doc reports.
- Reverted changes made in v1.0.12.
- Fixed word overlapping in graphs.
- Rolled back the Docker image to fix a conflict issue.
- Updated the sane-pdf-reports Docker tag, which fixes the graph labels overlap bug.
- Fixed an issue where the to_context function did not return the proper outputs when the CommandResult object was supplied with only readable_outputs.
- Fixed and issue where the to_context function returned null instead of an empty list when supplied with empty outputs.
- Added wrapper functions for getting and setting integration context.
Added the Tags parameter.
Updated the playbook to use the Carbon Black Enterprise Protection v2 integration .
Fixed an issue where the checkpoint command did not work as expected.
Added the FortiGate Ban IP command to the Block IP - Generic v2 playbook.
- Fixed an issue where errors were not handled as expected.
- Fixed an issue where EMLfiles with the content type "message/rfc822" were not recognized as expected.
Fixed an issue where the script failed on mixed-types
error.
Improved the error message when an invalid JSON entry is given.
Added the Feed Related Indicators section to the layout.
Added the Feed Related Indicators section to the layout.
Added the Feed Related Indicators section to the layout.
Added the Feed Related Indicators section to the layout.
- Added support for IPv4 and IPv6 indicator types to the cs-device-ran-on command.
- Deprecated the following commands:
- cs-resolve-detection: Use the cs-falcon-resolve-detection command from the CrowdStrike Falcon integration instead.
- cs-detection-details: Use the cs-falcon-search-detection command from the CrowdStrike Falcon integration instead.
- cs-detection-search: Use the cs-falcon-search-detection command from the CrowdStrike Falcon integration instead.
- Deprecated the following commands:
Fixed a bug where fetch_incidents printed an error message if no new incidents/alerts were found.
Fixed a bug when running the integration resulted in the exceptions must derive from BaseException error.
- Fixed an issue in which the offset for the fetch did not function as expected.
- Improved error handling in the kafka-print-topics command.
Fixed an issue where the limit argument did not work when set above 25 in the kenna-search-fixes command.
Search for incidents by arguments with an option to hash some of the incident's fields.
Added the Tags parameter.
- Added outputs to the panorama-get-logs command.
- Added the source_zone and destination_zone arguments to the panorama-create-rule command.
Added the new layout Palo Alto Networks - Endpoint Malware Investigation v2.
Added the new playbook Palo Alto Networks - Endpoint Malware Investigation v2.
This playbook is used to parse and search within PCAP files.
This playbook is used to parse and extract indicators within PCAP files and perform enrichment on the detected indicators.
Added the Panorama Best Practice Assessment incident layout.
Marked the generate_zip_bundle fiter to fetch the report bundle ZIP file.
Added Comprehensive PAN-OS Best Practice Assessment to the pack.
Investigates a Cortex XDR incident that contains internal malware alerts. The playbook does the following:
- Enriches the infected endpoint details.
- Lets the analyst manually retrieve the malicious file.
- Performs file detonation.
The playbook is used as a sub-playbook in the Cortex XDR Incident Handling - v2 playbook.
Investigates a Cortex XDR incident that contains internal port scan alerts. The playbook does the following:
- Syncs data with Cortex XDR.
- Notifies management about a compromised host.
- Escalates the incident in case of lateral movement alert detection.
The playbook is used as a sub-playbook in the Cortex XDR Incident Handling - v2.
This playbook is used to loop over every alert in a Cortex XDR incident. Supported alert categories:
- Malware
- Port Scan
This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident.
Added a conditional task that validates if an EDL security rule with the same name already exists.
The task that updates the email headers in the layout will no longer continue on errors.
The task that updates the email headers in the layout will no longer continue on errors.
Added the Tags parameter.
- Fixed an issue where the rasterize-image command returned an image instead of a PDF file.
- Added support for additional languages.
Added the Tags parameter.
Fixed an issue where the remedy-incident-update and remedy-get-incident commands required the request ID instead of the entry ID.
Added the *risksense-apply-tag, which applies tags as part of the playbook.
Blocks IP addresses and applies the tag to assets that are vulnerable to the specified CVE.
Displays a bar chart based on the CVEs count and the trending CVEs count with the different colors.
Fixed the test button to work with debug mode.
Increased integration context reliability by using versions (supported in Cortex XSOAR v6.0 and later).
Added support for the content type LOCAL_CATEGORY_DB.
Added the Tags parameter.
Deprecated. Use the ThreatConnect v2 integration instead.
Use the ThreatConnect v2 integration to manage your threat intelligence environment.
Fixed an issue where the the URL schema was enforced in the url command.
The TruSTAR v2 integration introduces rewritten code, tests, docstrings on code functions, and new commands. For commands that return indicators, the data is put in 3 contexts:
- The standard context, without the malicious field because TruSTAR doesn't currently have a score for every indicator.
- DBotScore context with score as 0 for the same reason.
- TruSTAR context with all the information returned by the command.
- trustar-get-reports
- trustar-get-enclaves
- trustar-related-indicators
- trustar-indicators-metadata
- trustar-indicator-summaries
- trustar-get-whitelisted-indicators
- trustar-move-report
- trustar-trending-indicators
- trustar-get-indicators-for-report
- trustar-search-indicators
- trustar-submit-report
- trustar-delete-report
- trustar-correlated-reports
- trustar-add-to-whitelist
- trustar-remove-from-whitelist
- trustar-report-details
- trustar-update-report
- trustar-search-reports
- trustar-get-phishing-indicators
- trustar-get-phishing-submissions
- trustar-set-triage-status
- trustar-copy-report
Deprecated - Use the TruSTAR v2 integration instead.
- Added a new widget to the layout.
- Added Notifications status to the layout.
Added setincidents to the playbook for the new layout.
Added setincidents to the playbook for the new layout.
Added setincidents to the playbook for the new layout.
Added setincidents to the playbook for the new layout.
- Added the multiple argument to the url command, which when set to "false" enables users to submit singular URLs that contain commas.
- Improved list handling for the zscaler-category-add-url and zscaler-category-add-ip commands.
Fixed an issue where the Set API token parameter was visible in the integration configuration window.
Deprecated. Use the Okta v2 integration instead.