diff --git a/Packs/ApiModules/.pack-ignore b/Packs/ApiModules/.pack-ignore
index 3386ce6c2fee..9aebf4130a83 100644
--- a/Packs/ApiModules/.pack-ignore
+++ b/Packs/ApiModules/.pack-ignore
@@ -17,4 +17,16 @@ ignore=BA124
ignore=BA124
[tests_require_network]
-NGINXApiModule
\ No newline at end of file
+NGINXApiModule
+
+[file:CSVFeedApiModule.yml]
+ignore=DS108
+
+[file:MicrosoftApiModule.yml]
+ignore=DS108
+
+[file:TAXII2ApiModule.yml]
+ignore=DS108
+
+[file:JSONFeedApiModule.yml]
+ignore=DS108
\ No newline at end of file
diff --git a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py
index f69ce16b2f71..ed9e99f9bb17 100644
--- a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py
+++ b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py
@@ -152,6 +152,7 @@ def get_endpoints(self,
endpoint_id_list=None,
dist_name=None,
ip_list=None,
+ public_ip_list=None,
group_name=None,
platform=None,
alias_name=None,
@@ -181,7 +182,7 @@ def get_endpoints(self,
status=status, username=username, endpoint_id_list=endpoint_id_list, dist_name=dist_name,
ip_list=ip_list, group_name=group_name, platform=platform, alias_name=alias_name, isolate=isolate,
hostname=hostname, first_seen_gte=first_seen_gte, first_seen_lte=first_seen_lte,
- last_seen_gte=last_seen_gte, last_seen_lte=last_seen_lte
+ last_seen_gte=last_seen_gte, last_seen_lte=last_seen_lte, public_ip_list=public_ip_list
)
if search_from:
@@ -1809,6 +1810,7 @@ def get_endpoints_command(client, args):
endpoint_id_list = argToList(args.get('endpoint_id_list'))
dist_name = argToList(args.get('dist_name'))
ip_list = argToList(args.get('ip_list'))
+ public_ip_list = argToList(args.get('public_ip_list'))
group_name = argToList(args.get('group_name'))
platform = argToList(args.get('platform'))
alias_name = argToList(args.get('alias_name'))
@@ -1845,6 +1847,7 @@ def get_endpoints_command(client, args):
endpoint_id_list=endpoint_id_list,
dist_name=dist_name,
ip_list=ip_list,
+ public_ip_list=public_ip_list,
group_name=group_name,
platform=platform,
alias_name=alias_name,
@@ -3461,6 +3464,7 @@ def create_request_filters(
endpoint_id_list: Optional[List] = None,
dist_name: Optional[List] = None,
ip_list: Optional[List] = None,
+ public_ip_list: Optional[List] = None,
group_name: Optional[List] = None,
platform: Optional[List] = None,
alias_name: Optional[List] = None,
@@ -3509,6 +3513,13 @@ def create_request_filters(
'value': ip_list
})
+ if public_ip_list:
+ filters.append({
+ 'field': 'public_ip_list',
+ 'operator': 'in',
+ 'value': public_ip_list
+ })
+
if group_name:
filters.append({
'field': 'group_name',
diff --git a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.yml b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.yml
index 3edb30b83f03..616cda231ca8 100644
--- a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.yml
+++ b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.yml
@@ -12,5 +12,7 @@ comment: Common Core IR Client, provides generic Infrastructure.
scripttarget: 0
dependson: {}
timeout: 0s
-dockerimage: demisto/python3:3.10.1.27636
+dockerimage: demisto/python3:3.10.13.78960
fromversion: 5.0.0
+tests:
+- No tests (auto formatted)
diff --git a/Packs/ApiModules/pack_metadata.json b/Packs/ApiModules/pack_metadata.json
index 3fb471e15894..940629929a27 100644
--- a/Packs/ApiModules/pack_metadata.json
+++ b/Packs/ApiModules/pack_metadata.json
@@ -2,7 +2,7 @@
"name": "ApiModules",
"description": "API Modules",
"support": "xsoar",
- "currentVersion": "2.2.20",
+ "currentVersion": "2.2.21",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
@@ -13,6 +13,7 @@
"keywords": [],
"marketplaces": [
"xsoar",
- "marketplacev2"
+ "marketplacev2",
+ "xpanse"
]
}
\ No newline at end of file
diff --git a/Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.yml b/Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.yml
index 68217c56db9b..702329c3ec5f 100644
--- a/Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.yml
+++ b/Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.yml
@@ -100,19 +100,24 @@ script:
isArray: true
name: dist_name
- description: |-
- A comma-separated list of IP addresses.
- Example: 8.8.8.8,1.1.1.1.
+ A comma-separated list of private IP addresses.
+ Example: 10.1.1.1,192.168.1.1.
isArray: true
name: ip_list
+ - description: |-
+ A comma-separated list of public IP addresses that correlate to the last IPv4 address from which the Cortex XDR agent connected (know as `Last Origin IP`).
+ Example: 8.8.8.8,1.1.1.1.
+ isArray: true
+ name: public_ip_list
- description: |-
The group name to which the agent belongs.
Example: group_name1,group_name2.
isArray: true
name: group_name
- - auto: PREDEFINED
- description: 'The endpoint platform. Valid values are\: "windows", "linux", "macos", or "android". '
+ - description: 'The endpoint platform. Valid values are\: "windows", "linux", "macos", or "android". '
isArray: true
name: platform
+ auto: PREDEFINED
predefined:
- windows
- linux
@@ -121,19 +126,20 @@ script:
- description: |-
A comma-separated list of alias names.
Examples: alias_name1,alias_name2.
- isArray: true
name: alias_name
- - auto: PREDEFINED
- description: Specifies whether the endpoint was isolated or unisolated.
+ isArray: true
+ - description: |-
+ Specifies whether the endpoint was isolated or unisolated.
name: isolate
+ auto: PREDEFINED
predefined:
- isolated
- unisolated
- description: |-
Hostname
Example: hostname1,hostname2.
- isArray: true
name: hostname
+ isArray: true
- description: |-
All the agents that were first seen after {first_seen_gte}.
Supported values:
@@ -165,9 +171,9 @@ script:
- defaultValue: '0'
description: Page number (for pagination). The default is 0 (the first page).
name: page
- - defaultValue: '30'
- description: Maximum number of endpoints to return per page. The default and maximum is 30.
+ - description: Maximum number of endpoints to return per page. The default and maximum is 30.
name: limit
+ defaultValue: '30'
- auto: PREDEFINED
description: Specifies whether to sort endpoints by the first time or last time they were seen. Can be "first_seen" or "last_seen".
name: sort_by
@@ -175,16 +181,16 @@ script:
- first_seen
- last_seen
- auto: PREDEFINED
- defaultValue: asc
description: The order by which to sort results. Can be "asc" (ascending) or "desc" ( descending). Default set to asc.
name: sort_order
predefined:
- asc
- desc
- - auto: PREDEFINED
+ defaultValue: asc
+ - name: status
description: A comma-separated list of endpoints statuses to filter.
- name: status
isArray: true
+ auto: PREDEFINED
predefined:
- connected
- disconnected
@@ -2864,7 +2870,7 @@ script:
script: '-'
subtype: python3
type: python
- dockerimage: demisto/python3:3.10.13.78960
+ dockerimage: demisto/python3:3.10.13.80014
tests:
- No tests
fromversion: 6.2.0
diff --git a/Packs/Core/Integrations/CortexCoreIR/README.md b/Packs/Core/Integrations/CortexCoreIR/README.md
index 75ebd36bf82e..4d5c966fb06a 100644
--- a/Packs/Core/Integrations/CortexCoreIR/README.md
+++ b/Packs/Core/Integrations/CortexCoreIR/README.md
@@ -84,7 +84,8 @@ Gets a list of endpoints, according to the passed filters. If there are no filte
| --- | --- | --- |
| endpoint_id_list | A comma-separated list of endpoint IDs. | Optional |
| dist_name | A comma-separated list of distribution package names or installation package names.
Example: dist_name1,dist_name2. | Optional |
-| ip_list | A comma-separated list of IP addresses.
Example: 8.8.8.8,1.1.1.1. | Optional |
+| ip_list | A comma-separated list of private IP addresses.
Example: 10.1.1.1,192.168.1.1. | Optional |
+| public_ip_list | A comma-separated list of public IP addresses that correlate to the last IPv4 address from which the Cortex XDR agent connected (know as `Last Origin IP`).
Example: 8.8.8.8,1.1.1.1. | Optional |
| group_name | The group name to which the agent belongs.
Example: group_name1,group_name2. | Optional |
| platform | The endpoint platform. Valid values are\: "windows", "linux", "macos", or "android". . Possible values are: windows, linux, macos, android. | Optional |
| alias_name | A comma-separated list of alias names.
Examples: alias_name1,alias_name2. | Optional |
diff --git a/Packs/Core/ReleaseNotes/2_1_2.md b/Packs/Core/ReleaseNotes/2_1_2.md
new file mode 100644
index 000000000000..f08a2048804d
--- /dev/null
+++ b/Packs/Core/ReleaseNotes/2_1_2.md
@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Investigation & Response
+- Updated the Docker image to: *demisto/python3:3.10.13.80014*.
+- Added the *public_ip_list* argument for the ***core-get-endpoints*** command.
diff --git a/Packs/Core/pack_metadata.json b/Packs/Core/pack_metadata.json
index 1bb9df41edc1..85ccc98537f1 100644
--- a/Packs/Core/pack_metadata.json
+++ b/Packs/Core/pack_metadata.json
@@ -2,7 +2,7 @@
"name": "Core - Investigation and Response",
"description": "Automates incident response",
"support": "xsoar",
- "currentVersion": "2.1.1",
+ "currentVersion": "2.1.2",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
diff --git a/Packs/CortexXDR/.pack-ignore b/Packs/CortexXDR/.pack-ignore
index 5ac0b6eb849b..71e95997bfb3 100644
--- a/Packs/CortexXDR/.pack-ignore
+++ b/Packs/CortexXDR/.pack-ignore
@@ -54,6 +54,10 @@ xql
indicatorsvalues
setindicators
printerrorentry
+SSO
+RDP
+XCLOUD
+Cryptomining
[file:classifier-PaloAltoNetworks_CortexXDR.json]
ignore=BA101
@@ -122,4 +126,7 @@ ignore=IF115
ignore=IF115
[file:CortexXDRInvestigationVerdict.yml]
-ignore=BA124
\ No newline at end of file
+ignore=BA124
+
+[file:XDR_Last_Mirrored_In_Time.json]
+ignore=IF113
\ No newline at end of file
diff --git a/Packs/CortexXDR/IncidentTypes/Cortex_XDR_Incident.json b/Packs/CortexXDR/IncidentTypes/Cortex_XDR_Incident.json
index c1ad3baa0804..d126b194ec34 100644
--- a/Packs/CortexXDR/IncidentTypes/Cortex_XDR_Incident.json
+++ b/Packs/CortexXDR/IncidentTypes/Cortex_XDR_Incident.json
@@ -21,5 +21,8 @@
"weeks": 0,
"weeksR": 0,
"fromVersion": "6.0.0",
- "layout": "Cortex XDR Incident"
+ "layout": "Cortex XDR Incident",
+ "marketplaces": [
+ "xsoar"
+ ]
}
diff --git a/Packs/CortexXDR/IncidentTypes/Cortex_XDR_Incident_5_9_9.json b/Packs/CortexXDR/IncidentTypes/Cortex_XDR_Incident_5_9_9.json
index 00f9ed5fab9d..ff68d7b15771 100644
--- a/Packs/CortexXDR/IncidentTypes/Cortex_XDR_Incident_5_9_9.json
+++ b/Packs/CortexXDR/IncidentTypes/Cortex_XDR_Incident_5_9_9.json
@@ -22,5 +22,8 @@
"weeksR": 0,
"fromVersion": "5.0.0",
"toVersion": "5.9.9",
- "layout": "Cortex XDR Incident"
+ "layout": "Cortex XDR Incident",
+ "marketplaces": [
+ "xsoar"
+ ]
}
diff --git a/Packs/CortexXDR/IncidentTypes/incidenttype-Cortex_XDR_-_Lite.json b/Packs/CortexXDR/IncidentTypes/incidenttype-Cortex_XDR_-_Lite.json
index b07a04a13f83..8df040717d06 100644
--- a/Packs/CortexXDR/IncidentTypes/incidenttype-Cortex_XDR_-_Lite.json
+++ b/Packs/CortexXDR/IncidentTypes/incidenttype-Cortex_XDR_-_Lite.json
@@ -24,6 +24,8 @@
"version": -1,
"weeks": 0,
"weeksR": 0,
- "fromVersion": "6.9.0"
-
+ "fromVersion": "6.9.0",
+ "marketplaces": [
+ "xsoar"
+ ]
}
\ No newline at end of file
diff --git a/Packs/CortexXDR/IncidentTypes/incidenttype-Cortex_XDR_-_XCLOUD_Cryptomining.json b/Packs/CortexXDR/IncidentTypes/incidenttype-Cortex_XDR_-_XCLOUD_Cryptomining.json
index 3f01e48c6d95..d8cfc744e5ab 100644
--- a/Packs/CortexXDR/IncidentTypes/incidenttype-Cortex_XDR_-_XCLOUD_Cryptomining.json
+++ b/Packs/CortexXDR/IncidentTypes/incidenttype-Cortex_XDR_-_XCLOUD_Cryptomining.json
@@ -26,5 +26,8 @@
"mode": "Specific",
"fieldCliNameToExtractSettings": {}
},
- "fromVersion": "6.5.0"
+ "fromVersion": "6.5.0",
+ "marketplaces": [
+ "xsoar"
+ ]
}
\ No newline at end of file
diff --git a/Packs/CortexXDR/IncidentTypes/incidenttype-XDR_Device_Control_Violations.json b/Packs/CortexXDR/IncidentTypes/incidenttype-XDR_Device_Control_Violations.json
index 2317ab12c398..95dd07f0116a 100644
--- a/Packs/CortexXDR/IncidentTypes/incidenttype-XDR_Device_Control_Violations.json
+++ b/Packs/CortexXDR/IncidentTypes/incidenttype-XDR_Device_Control_Violations.json
@@ -18,5 +18,8 @@
"version": -1,
"weeks": 0,
"weeksR": 0,
- "fromVersion": "5.5.0"
+ "fromVersion": "5.5.0",
+ "marketplaces": [
+ "xsoar"
+ ]
}
diff --git a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml
index 6eb293a4c55f..b223beed259e 100644
--- a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml
+++ b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml
@@ -780,10 +780,15 @@ script:
isArray: true
name: dist_name
- description: |-
- A comma-separated list of IP addresses.
- Example: 8.8.8.8,1.1.1.1.
+ A comma-separated list of private IP addresses.
+ Example: 10.1.1.1,192.168.1.1.
isArray: true
name: ip_list
+ - description: |-
+ A comma-separated list of public IP addresses that correlate to the last IPv4 address from which the Cortex XDR agent connected (know as `Last Origin IP`).
+ Example: 8.8.8.8,1.1.1.1.
+ isArray: true
+ name: public_ip_list
- description: |-
The group name to which the agent belongs.
Example: group_name1,group_name2.
@@ -801,19 +806,20 @@ script:
- description: |-
A comma-separated list of alias names.
Examples: alias_name1,alias_name2.
- isArray: true
name: alias_name
- - auto: PREDEFINED
- description: Specifies whether the endpoint was isolated or unisolated.
+ isArray: true
+ - description: |-
+ Specifies whether the endpoint was isolated or unisolated.
name: isolate
+ auto: PREDEFINED
predefined:
- isolated
- unisolated
- description: |-
Hostname
Example: hostname1,hostname2.
- isArray: true
name: hostname
+ isArray: true
- description: |-
All the agents that were first seen after {first_seen_gte}.
Supported values:
@@ -845,19 +851,19 @@ script:
- defaultValue: '0'
description: Page number (for pagination). The default is 0 (the first page).
name: page
- - defaultValue: '30'
- description: Maximum number of endpoints to return per page. The default and maximum is 30.
+ - description: Maximum number of endpoints to return per page. The default and maximum is 30.
name: limit
+ defaultValue: '30'
- auto: PREDEFINED
description: Specifies whether to sort endpoints by the first time or last time they were seen. Can be "first_seen" or "last_seen".
name: sort_by
predefined:
- first_seen
- last_seen
- - auto: PREDEFINED
- defaultValue: asc
+ - name: sort_order
description: The order by which to sort results. Can be "asc" (ascending) or "desc" ( descending). Default set to asc.
- name: sort_order
+ auto: PREDEFINED
+ defaultValue: asc
predefined:
- asc
- desc
@@ -3466,7 +3472,7 @@ script:
isArray: true
name: xdr-remove-user-role
description: Remove one or more users from a role.
- dockerimage: demisto/python3:3.10.13.78960
+ dockerimage: demisto/python3:3.10.13.80014
isfetch: true
script: ''
subtype: python3
diff --git a/Packs/CortexXDR/Integrations/CortexXDRIR/README.md b/Packs/CortexXDR/Integrations/CortexXDRIR/README.md
index 0d6f553f7a47..bf5e7e6f228e 100644
--- a/Packs/CortexXDR/Integrations/CortexXDRIR/README.md
+++ b/Packs/CortexXDR/Integrations/CortexXDRIR/README.md
@@ -690,7 +690,8 @@ Builtin Roles with this permission includes: "Privileged Responder", "Viewer" an
| status | A comma-separated list of endpoints statuses to filter. Valid values are: connected, disconnected, lost, uninstalled, windows, linux, macos, android, isolated, unisolated. | Optional |
| endpoint_id_list | A comma-separated list of endpoint IDs. | Optional |
| dist_name | A comma-separated list of distribution package names or installation package names.
Example: dist_name1,dist_name2. | Optional |
-| ip_list | A comma-separated list of IP addresses.
Example: 8.8.8.8,1.1.1.1. | Optional |
+| ip_list | A comma-separated list of private IP addresses.
Example: Example: 10.1.1.1,192.168.1.1. | Optional |
+| public_ip_list | A comma-separated list of public IP addresses that correlate to the last IPv4 address from which the Cortex XDR agent connected (know as `Last Origin IP`).
Example: 8.8.8.8,1.1.1.1. | Optional |
| group_name | The group name to which the agent belongs.
Example: group_name1,group_name2. | Optional |
| platform | The endpoint platform. Valid values are\: "windows", "linux", "macos", or "android". . Possible values are: windows, linux, macos, android. | Optional |
| alias_name | A comma-separated list of alias names.
Examples: alias_name1,alias_name2. | Optional |
diff --git a/Packs/CortexXDR/Integrations/XDR_iocs/XDR_iocs.yml b/Packs/CortexXDR/Integrations/XDR_iocs/XDR_iocs.yml
index 41a5adc5bddf..8a13b1225d6f 100644
--- a/Packs/CortexXDR/Integrations/XDR_iocs/XDR_iocs.yml
+++ b/Packs/CortexXDR/Integrations/XDR_iocs/XDR_iocs.yml
@@ -203,7 +203,7 @@ script:
required: true
description: Disables IOCs in the XDR server.
name: xdr-iocs-disable
- dockerimage: demisto/python3:3.10.13.75921
+ dockerimage: demisto/python3:3.10.13.80014
feed: true
runonce: false
script: '-'
diff --git a/Packs/CortexXDR/Integrations/XQLQueryingEngine/XQLQueryingEngine.yml b/Packs/CortexXDR/Integrations/XQLQueryingEngine/XQLQueryingEngine.yml
index 3d27078fd397..77385eb8fcd2 100644
--- a/Packs/CortexXDR/Integrations/XQLQueryingEngine/XQLQueryingEngine.yml
+++ b/Packs/CortexXDR/Integrations/XQLQueryingEngine/XQLQueryingEngine.yml
@@ -895,7 +895,7 @@ script:
- description: XDR endpoint ID to run the query on.
isArray: true
name: endpoint_id
- - description: 'event log ID to search. - Windows: Event ID of the event-log - Linux: For action_evtlog_source = AuthLog, one of the following: 0 = Unknown 1 = Successful Login 2 = Failed Login 3 = Failed Password (Same as failed login, but should include a username) 4 = Logout'
+ - description: 'event log ID to search. - Windows: Event ID of the event-log - Linux: For action_evtlog_source = AuthLog, one of the following: 0 = Unknown 1 = Successful Login 2 = Failed Login 3 = Failed Password (Same as failed login, but should include a username) 4 = Logout.'
isArray: true
name: event_id
required: true
@@ -1096,7 +1096,7 @@ script:
description: DNS query name.
type: String
- contextPath: PaloAltoNetworksXQL.DNS.results.action_app_id_transitions
- description: List of application IDs action, actual activities that took place and recorded by the agent
+ description: List of application IDs action, actual activities that took place and recorded by the agent.
type: String
- contextPath: PaloAltoNetworksXQL.DNS.results.action_total_download
description: Total downloads.
@@ -1553,7 +1553,7 @@ script:
- contextPath: PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results._product
description: The result product.
type: String
- dockerimage: demisto/python3:3.10.12.63474
+ dockerimage: demisto/python3:3.10.13.80014
runonce: false
script: '-'
subtype: python3
diff --git a/Packs/CortexXDR/Playbooks/Cortex_XDR_-_Port_Scan_-_Adjusted.yml b/Packs/CortexXDR/Playbooks/Cortex_XDR_-_Port_Scan_-_Adjusted.yml
index 2035b3a73ef1..28f15d9485b6 100644
--- a/Packs/CortexXDR/Playbooks/Cortex_XDR_-_Port_Scan_-_Adjusted.yml
+++ b/Packs/CortexXDR/Playbooks/Cortex_XDR_-_Port_Scan_-_Adjusted.yml
@@ -1,7 +1,7 @@
id: Cortex XDR - Port Scan - Adjusted
version: -1
name: Cortex XDR - Port Scan - Adjusted
-description: "The playbook investigates Cortex XDR incidents involving port scan alerts. The playbook is designed to run as a sub-playbook of ‘Cortex XDR Alerts Handling’. \n\nThe playbook consists of the following procedures:\n- Enrichment and investigation of the scanner and scanned hostname and IP address.\n- Enrichment and investigation of the initiator user, process, file, or command if it exists.\n- Detection of related indicators and analysis of the relationship between the detected indicators.\n- Utilize the detected indicators to conduct threat hunting.\n- Blocks detected malicious indicators.\n- Endpoint isolation.\n\nThis playbook supports the following Cortex XDR alert names:\n- Suspicious port scan\n- Port scan by suspicious process\n- Highly suspicious port scan\n- Port scan"
+description: "The playbook investigates Cortex XDR incidents involving port scan alerts. The playbook is designed to run as a sub-playbook of ‘Cortex XDR Alerts Handling’. \n\nThe playbook consists of the following procedures:\n- Enrichment and investigation of the scanner and scanned hostname and IP address.\n- Enrichment and investigation of the initiator user, process, file, or command if it exists.\n- Detection of related indicators and analysis of the relationship between the detected indicators.\n- Utilize the detected indicators to conduct threat hunting.\n- Blocks detected malicious indicators.\n- Endpoint isolation.\n\nThis playbook supports the following Cortex XDR alert names:\n- Suspicious port scan\n- Port scan by suspicious process\n- Highly suspicious port scan\n- Port scan."
starttaskid: "0"
tasks:
"0":
@@ -2755,7 +2755,7 @@ outputs:
description: Lateral Movement First Date time from the port scan alert.
type: unknown
- contextPath: PortScan.PortScanFirstDatetime
- description: Port Scan First Date time
+ description: Port Scan First Date time.
type: unknown
tests:
- Test XDR Playbook general commands
@@ -2764,3 +2764,5 @@ tests:
fromversion: 5.0.0
contentitemexportablefields:
contentitemfields: {}
+marketplaces:
+- xsoar
diff --git a/Packs/CortexXDR/Playbooks/Cortex_XDR_Alerts_Handling.yml b/Packs/CortexXDR/Playbooks/Cortex_XDR_Alerts_Handling.yml
index 4b44b94483ec..acf9787cb5f2 100644
--- a/Packs/CortexXDR/Playbooks/Cortex_XDR_Alerts_Handling.yml
+++ b/Packs/CortexXDR/Playbooks/Cortex_XDR_Alerts_Handling.yml
@@ -3,7 +3,7 @@ version: -1
contentitemexportablefields:
contentitemfields: {}
name: Cortex XDR Alerts Handling
-description: "This playbook is used to loop over every alert in a Cortex XDR incident. \nSupported alert categories:\n- Malware\n- Port Scan\n- Cloud Cryptojacking\n- Cloud Token Theft\n- RDP Brute-Force\n- First SSO Access\n- Cloud IAM User Access Investigation"
+description: "This playbook is used to loop over every alert in a Cortex XDR incident. \nSupported alert categories:\n- Malware\n- Port Scan\n- Cloud Cryptojacking\n- Cloud Token Theft\n- RDP Brute-Force\n- First SSO Access\n- Cloud IAM User Access Investigation."
starttaskid: "0"
tasks:
"0":
@@ -237,8 +237,7 @@ tasks:
id: 12258730-025a-4931-8da9-9f68bfb6a32c
version: -1
name: Cortex XDR - get incident extra data
- description: Returns additional data for the specified incident, for example,
- related alerts, file artifacts, network artifacts, and so on.
+ description: Returns additional data for the specified incident, for example, related alerts, file artifacts, network artifacts, and so on.
script: Cortex XDR - IR|||xdr-get-incident-extra-data
type: regular
iscommand: true
@@ -1371,8 +1370,7 @@ outputs:
- contextPath: PaloAltoNetworksXDR.Incident.alerts.name
description: Calculated name of the alert.
- contextPath: PaloAltoNetworksXDR.Incident.alerts.category
- description: Category of the alert, for example, Spyware Detected via Anti-Spyware
- profile.
+ description: Category of the alert, for example, Spyware Detected via Anti-Spyware profile.
- contextPath: PaloAltoNetworksXDR.Incident.alerts.host_ip
description: Host IP involved in the alert.
- contextPath: PaloAltoNetworksXDR.Incident.alerts.host_name
@@ -1380,38 +1378,17 @@ outputs:
- contextPath: PaloAltoNetworksXDR.Incident.alerts.user_name
description: User name involved with the alert.
- contextPath: PaloAltoNetworksXDR.Incident.alerts.event_type
- description: 'Event type: "Process Execution","Network Event","File Event","Registry
- Event","Injection Event","Load Image Event","Windows Event Log".'
+ description: 'Event type: "Process Execution","Network Event","File Event","Registry Event","Injection Event","Load Image Event","Windows Event Log".'
- contextPath: PaloAltoNetworksXDR.Incident.alerts.action
- description: 'The action that triggered the alert. "REPORTED", "BLOCKED", "POST_DETECTED",
- "SCANNED", "DOWNLOAD", "PROMPT_ALLOW", "PROMPT_BLOCK", "DETECTED", "BLOCKED_1",
- "BLOCKED_2", "BLOCKED_3", "BLOCKED_5", "BLOCKED_6", "BLOCKED_7", "BLOCKED_8",
- "BLOCKED_9", "BLOCKED_10", "BLOCKED_11", "BLOCKED_13", "BLOCKED_14", "BLOCKED_15",
- "BLOCKED_16", "BLOCKED_17", "BLOCKED_24", "BLOCKED_25", "DETECTED_0", "DETECTED_4",
- "DETECTED_18", "DETECTED_19", "DETECTED_20", "DETECTED_21", "DETECTED_22", "DETECTED_23".'
+ description: 'The action that triggered the alert. "REPORTED", "BLOCKED", "POST_DETECTED", "SCANNED", "DOWNLOAD", "PROMPT_ALLOW", "PROMPT_BLOCK", "DETECTED", "BLOCKED_1", "BLOCKED_2", "BLOCKED_3", "BLOCKED_5", "BLOCKED_6", "BLOCKED_7", "BLOCKED_8", "BLOCKED_9", "BLOCKED_10", "BLOCKED_11", "BLOCKED_13", "BLOCKED_14", "BLOCKED_15", "BLOCKED_16", "BLOCKED_17", "BLOCKED_24", "BLOCKED_25", "DETECTED_0", "DETECTED_4", "DETECTED_18", "DETECTED_19", "DETECTED_20", "DETECTED_21", "DETECTED_22", "DETECTED_23".'
- contextPath: PaloAltoNetworksXDR.Incident.alerts.action_pretty
- description: 'The action that triggered the alert: "Detected (Reported)" "Prevented
- (Blocked)" "Detected (Post Detected)" "Detected (Scanned)" "Detected (Download)"
- "Detected (Prompt Allow)" "Prevented (Prompt Block)" "Detected" "Prevented (Denied
- The Session)" "Prevented (Dropped The Session)" "Prevented (Dropped The Session
- And Sent a TCP Reset)" "Prevented (Blocked The URL)" "Prevented (Blocked The IP)"
- "Prevented (Dropped The Packet)" "Prevented (Dropped All Packets)" "Prevented
- (Terminated The Session And Sent a TCP Reset To Both Sides Of The Connection)"
- "Prevented (Terminated The Session And Sent a TCP Reset To The Client)" "Prevented
- (Terminated The Session And Sent a TCP Reset To The Server)" "Prevented (Continue)"
- "Prevented (Block-Override)" "Prevented (Override-Lockout)" "Prevented (Override)"
- "Prevented (Random-Drop)" "Prevented (Silently Dropped The Session With An ICMP
- Unreachable Message To The Host Or Application)" "Prevented (Block)" "Detected
- (Allowed The Session)" "Detected (Raised An Alert)" "Detected (Syncookie Sent)"
- "Detected (Forward)" "Detected (Wildfire Upload Success)" "Detected (Wildfire
- Upload Failure)" "Detected (Wildfire Upload Skip)" "Detected (Sinkhole)".'
+ description: 'The action that triggered the alert: "Detected (Reported)" "Prevented (Blocked)" "Detected (Post Detected)" "Detected (Scanned)" "Detected (Download)" "Detected (Prompt Allow)" "Prevented (Prompt Block)" "Detected" "Prevented (Denied The Session)" "Prevented (Dropped The Session)" "Prevented (Dropped The Session And Sent a TCP Reset)" "Prevented (Blocked The URL)" "Prevented (Blocked The IP)" "Prevented (Dropped The Packet)" "Prevented (Dropped All Packets)" "Prevented (Terminated The Session And Sent a TCP Reset To Both Sides Of The Connection)" "Prevented (Terminated The Session And Sent a TCP Reset To The Client)" "Prevented (Terminated The Session And Sent a TCP Reset To The Server)" "Prevented (Continue)" "Prevented (Block-Override)" "Prevented (Override-Lockout)" "Prevented (Override)" "Prevented (Random-Drop)" "Prevented (Silently Dropped The Session With An ICMP Unreachable Message To The Host Or Application)" "Prevented (Block)" "Detected (Allowed The Session)" "Detected (Raised An Alert)" "Detected (Syncookie Sent)" "Detected (Forward)" "Detected (Wildfire Upload Success)" "Detected (Wildfire Upload Failure)" "Detected (Wildfire Upload Skip)" "Detected (Sinkhole)".'
- contextPath: PaloAltoNetworksXDR.Incident.alerts.actor_process_image_name
description: Image name.
- contextPath: PaloAltoNetworksXDR.Incident.alerts.actor_process_command_line
description: Command line.
- contextPath: PaloAltoNetworksXDR.Incident.alerts.actor_process_signature_status
- description: 'Signature status: "Signed" "Invalid Signature" "Unsigned" "Revoked"
- "Signature Fail" "N/A" "Weak Hash".'
+ description: 'Signature status: "Signed" "Invalid Signature" "Unsigned" "Revoked" "Signature Fail" "N/A" "Weak Hash".'
- contextPath: PaloAltoNetworksXDR.Incident.alerts.actor_process_signature_vendor
description: Signature vendor name.
- contextPath: PaloAltoNetworksXDR.Incident.alerts.action_process_image_sha256
@@ -1423,31 +1400,27 @@ outputs:
- contextPath: PaloAltoNetworksXDR.Incident.network_artifacts.network_domain
description: The domain related to the artifact.
- contextPath: PaloAltoNetworksXDR.Incident.network_artifacts.network_country
- description: The country related to the artifact
+ description: The country related to the artifact.
- contextPath: PaloAltoNetworksXDR.Incident.network_artifacts.network_remote_ip
description: The remote IP related to the artifact.
- contextPath: PaloAltoNetworksXDR.Incident.file_artifacts.file_signature_status
- description: 'Digital signature status of the file: "SIGNATURE_UNAVAILABLE", "SIGNATURE_SIGNED",
- "SIGNATURE_INVALID", "SIGNATURE_UNSIGNED", "SIGNATURE_WEAK_HASH".'
+ description: 'Digital signature status of the file: "SIGNATURE_UNAVAILABLE", "SIGNATURE_SIGNED", "SIGNATURE_INVALID", "SIGNATURE_UNSIGNED", "SIGNATURE_WEAK_HASH".'
- contextPath: PaloAltoNetworksXDR.Incident.file_artifacts.is_process
description: Whether the file artifact is related to a process execution.
- contextPath: PaloAltoNetworksXDR.Incident.file_artifacts.file_name
description: Name of the file.
- contextPath: PaloAltoNetworksXDR.Incident.file_artifacts.file_wildfire_verdict
- description: 'The file verdict, calculated by Wildfire: "BENIGN", "MALWARE", "GRAYWARE",
- "PHISHING", "UNKNOWN".'
+ description: 'The file verdict, calculated by Wildfire: "BENIGN", "MALWARE", "GRAYWARE", "PHISHING", "UNKNOWN".'
- contextPath: PaloAltoNetworksXDR.Incident.file_artifacts.is_malicious
description: Whether the artifact is malicious, decided by the Wildfire verdict.
- contextPath: PaloAltoNetworksXDR.Incident.file_artifacts.type
- description: 'The artifact type: "META", "GID", "CID", "HASH", "IP", "DOMAIN", "REGISTRY",
- "HOSTNAME".'
+ description: 'The artifact type: "META", "GID", "CID", "HASH", "IP", "DOMAIN", "REGISTRY", "HOSTNAME".'
- contextPath: PaloAltoNetworksXDR.Incident.file_artifacts.file_sha256
description: SHA256 hash of the file.
- contextPath: PaloAltoNetworksXDR.Incident.file_artifacts.file_signature_vendor_name
description: File signature vendor name.
- contextPath: PortScan.BlockPorts
- description: Indicates whether there's a need to block the ports used for exploitation
- on the scanned host.
+ description: Indicates whether there's a need to block the ports used for exploitation on the scanned host.
type: unknown
- contextPath: PortScan.AttackerIPs
description: Attacker IPs from the port scan alert.
@@ -1473,3 +1446,5 @@ outputs:
tests:
- No tests (auto formatted)
fromversion: 5.0.0
+marketplaces:
+- xsoar
diff --git a/Packs/CortexXDR/Playbooks/Cortex_XDR_incident_handling_v3_6_5.yml b/Packs/CortexXDR/Playbooks/Cortex_XDR_incident_handling_v3_6_5.yml
index 7b0978cd44db..2ba8db356293 100644
--- a/Packs/CortexXDR/Playbooks/Cortex_XDR_incident_handling_v3_6_5.yml
+++ b/Packs/CortexXDR/Playbooks/Cortex_XDR_incident_handling_v3_6_5.yml
@@ -2097,3 +2097,5 @@ tests:
fromversion: 6.5.0
contentitemexportablefields:
contentitemfields: {}
+marketplaces:
+- xsoar
diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_First_SSO_Access.yml b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_First_SSO_Access.yml
index cb9146354164..1aee8f4d40d8 100644
--- a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_First_SSO_Access.yml
+++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_First_SSO_Access.yml
@@ -2177,3 +2177,5 @@ fromversion: 6.8.0
contentitemexportablefields:
contentitemfields: {}
system: true
+marketplaces:
+- xsoar
diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Possible_External_RDP_Brute-Force.yml b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Possible_External_RDP_Brute-Force.yml
index 26f77cac1237..57f491c1b707 100644
--- a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Possible_External_RDP_Brute-Force.yml
+++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Possible_External_RDP_Brute-Force.yml
@@ -3125,3 +3125,5 @@ tests:
fromversion: 6.8.0
contentitemexportablefields:
contentitemfields: {}
+marketplaces:
+- xsoar
diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_PrintNightmare_Detection_and_Response_6_5.yml b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_PrintNightmare_Detection_and_Response_6_5.yml
index c90cfbecfc25..fd29447940de 100644
--- a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_PrintNightmare_Detection_and_Response_6_5.yml
+++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_PrintNightmare_Detection_and_Response_6_5.yml
@@ -93,8 +93,7 @@ tasks:
id: 6858b2fe-7399-44d8-894a-68f05cd01cad
version: -1
name: Cortex XDR - Isolate Endpoint
- description: This playbook accepts an XDR endpoint ID and isolates it using
- the 'Palo Alto Networks Cortex XDR - Investigation and Response' integration.
+ description: This playbook accepts a Cortex XDR endpoint ID and isolates it using the 'Palo Alto Networks Cortex XDR - Investigation and Response' integration.
playbookName: Cortex XDR - Isolate Endpoint
type: playbook
iscommand: false
@@ -706,9 +705,7 @@ tasks:
id: e9267c6f-4c2d-48dd-8017-cecd3cd48a4a
version: -1
name: Threat Hunting - Generic
- description: "This playbook enables threat hunting for IOCs in your enterprise.\n\
- This playbook currently supports the following integrations:\n- Splunk\n-\
- \ Qradar\n- Pan-os\n- Cortex data lake \n- Autofocus"
+ description: "This playbook enables threat hunting for IOCs in your enterprise.\nThis playbook currently supports the following integrations:\n- Splunk\n- Qradar\n- Pan-os\n- Cortex data lake \n- Autofocus"
playbookName: Threat Hunting - Generic
type: playbook
iscommand: false
@@ -777,8 +774,7 @@ tasks:
id: aed1591c-cd9f-42ba-84c8-51184497392e
version: -1
name: Collect system info
- description: Initiates a new endpoint script execution action using a script
- from the script library.
+ description: Initiates a new endpoint script execution action using a script from the script library.
type: regular
iscommand: false
brand: ""
@@ -981,8 +977,7 @@ tasks:
id: e48287f6-34db-41f2-8a31-925555eca04a
version: -1
name: Is Active Directory Query v2 enabled?
- description: Checks if there’s an active instance of the Active Directory Query
- v2 integration enabled.
+ description: Checks if there’s an active instance of the Active Directory Query v2 integration enabled.
type: condition
iscommand: false
brand: ""
@@ -1128,8 +1123,7 @@ tasks:
id: e0a94c31-eeef-4c3b-83f8-3424a3d81462
version: -1
name: Cortex XDR - get incident extra data
- description: Returns additional data for the specified incident, for example,
- related alerts, file artifacts, network artifacts, and so on.
+ description: Returns additional data for the specified incident, for example, related alerts, file artifacts, network artifacts, and so on.
script: '|||xdr-get-incident-extra-data'
type: regular
iscommand: true
@@ -1174,11 +1168,7 @@ tasks:
- "78"
scriptarguments:
query:
- simple: xdralerts.description:*printnightmare_exploit_patched_machine* OR
- xdralerts.description:*printnightmare_local_exploit_patched_machine* OR
- xdralerts.description:*printnightmare_exploit_unpatched_machine* OR xdralerts.description:*printnightmare_local_exploit_unpatched_machine*
- OR xdralerts.description:*printnightmare_exploit.2* OR xdralerts.description:“*printnightmare_local_exploit.3*
- OR xdralerts.description:“*printnightmare_exploit.4* OR xdralerts.description:“*printnightmare_local_exploit.2*
+ simple: xdralerts.description:*printnightmare_exploit_patched_machine* OR xdralerts.description:*printnightmare_local_exploit_patched_machine* OR xdralerts.description:*printnightmare_exploit_unpatched_machine* OR xdralerts.description:*printnightmare_local_exploit_unpatched_machine* OR xdralerts.description:*printnightmare_exploit.2* OR xdralerts.description:“*printnightmare_local_exploit.3* OR xdralerts.description:“*printnightmare_exploit.4* OR xdralerts.description:“*printnightmare_local_exploit.2*
separatecontext: false
view: |-
{
@@ -1292,8 +1282,7 @@ tasks:
id: f9cf1d24-c495-4d57-8cd5-a02ddbb851a4
version: -1
name: Retrieve suspicious files involved in the attack
- description: Get files that were involved in the attack for further analysis
- and forensics.
+ description: Get files that were involved in the attack for further analysis and forensics.
type: regular
iscommand: false
brand: ""
@@ -1371,7 +1360,7 @@ tasks:
root: PaloAltoNetworksXDR.Incident.alerts
accessor: action_remote_ip
transformers:
- - operator: uniq
+ - operator: uniq
UserVerification:
complex:
root: inputs.UserVerification
@@ -1461,3 +1450,5 @@ outputs: []
tests:
- No tests (auto formatted)
fromversion: 6.5.0
+marketplaces:
+- xsoar
diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Lite_-_Incident_Handling.yml b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Lite_-_Incident_Handling.yml
index d1e10973b043..9d4058b31062 100644
--- a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Lite_-_Incident_Handling.yml
+++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Lite_-_Incident_Handling.yml
@@ -1402,8 +1402,7 @@ tasks:
scriptarguments:
incident_id:
complex:
- root: incident
- accessor: xdrincidentid
+ root: inputs.incident_id
reputationcalc: 2
separatecontext: false
continueonerrortype: ""
@@ -2184,4 +2183,6 @@ inputs:
outputs: []
tests:
- No tests (auto formatted)
-fromversion: 6.9.0
\ No newline at end of file
+fromversion: 6.9.0
+marketplaces:
+- xsoar
diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Malware_-_Incident_Enrichment.yml b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Malware_-_Incident_Enrichment.yml
index 2d63207a4e61..c04a7fe65de0 100644
--- a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Malware_-_Incident_Enrichment.yml
+++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Malware_-_Incident_Enrichment.yml
@@ -1425,3 +1425,5 @@ description: |-
This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response.
This playbook enriches the Cortex XDR incident. The enrichment is done on the involved endpoint and Mitre technique ID information, and sets the 'Malware-Investigation and Response' layout.
system: true
+marketplaces:
+- xsoar
diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Malware_-_Investigation_And_Response.yml b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Malware_-_Investigation_And_Response.yml
index 92edf8221520..394982304309 100644
--- a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Malware_-_Investigation_And_Response.yml
+++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Malware_-_Investigation_And_Response.yml
@@ -1,7 +1,7 @@
id: Cortex XDR Malware - Investigation And Response
version: -1
name: Cortex XDR Malware - Investigation And Response
-description: "This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response.\nThis playbook investigates Cortex XDR malware incidents. It uses:\n - Cortex XDR insights \n - Command Line Analysis \n - Dedup \n - Sandbox hash search and detonation \n - Cortex XDR enrichment \n - Incident Handling (True/False Positive)"
+description: "This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response.\nThis playbook investigates Cortex XDR malware incidents. It uses:\n - Cortex XDR insights \n - Command Line Analysis \n - Dedup \n - Sandbox hash search and detonation \n - Cortex XDR enrichment \n - Incident Handling (True/False Positive)."
starttaskid: '0'
tasks:
'0':
@@ -2111,3 +2111,5 @@ tests:
fromversion: 6.5.0
contentitemexportablefields:
contentitemfields: {}
+marketplaces:
+- xsoar
diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_device_control_violations.yml b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_device_control_violations.yml
index 9aec26e1b44b..705c1094d9a2 100644
--- a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_device_control_violations.yml
+++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_device_control_violations.yml
@@ -1,13 +1,7 @@
id: Cortex XDR device control violations
version: -1
name: Cortex XDR device control violations
-description: "Queries Cortex XDR for device control violations for the specified hosts,\
- \ IP address, or XDR endpoint ID. It then communicates via email with the involved\
- \ users to understand the nature of the incident and if the user connected the device.\
- \ \nAll the collected data will be displayed in the XDR device control incident\
- \ layout.\nThis playbook can also be associated with Cortex XDR device control violation\
- \ job to periodically query and investigate XDR device control violations. In this\
- \ configuration, the playbook will only communicate with the involved users."
+description: "Queries Cortex XDR for device control violations for the specified hosts, IP address, or XDR endpoint ID. It then communicates via email with the involved users to understand the nature of the incident and if the user connected the device. \nAll the collected data will be displayed in the XDR device control incident layout.\nThis playbook can also be associated with Cortex XDR device control violation job to periodically query and investigate XDR device control violations. In this configuration, the playbook will only communicate with the involved users."
starttaskid: "0"
tasks:
"0":
@@ -45,8 +39,7 @@ tasks:
id: 3b9e0236-4004-482e-8c5b-5084d95a532d
version: -1
name: Get endpoint device control violations
- description: Gets a list of device control violations filtered by selected fields.
- You can retrieve up to 100 violations.
+ description: Gets a list of device control violations filtered by selected fields. You can retrieve up to 100 violations.
script: '|||xdr-get-endpoint-device-control-violations'
type: regular
iscommand: true
@@ -243,9 +236,7 @@ tasks:
id: 256b3ed5-14c2-4e5f-8ae2-bc937b86b8ce
version: -1
name: Get user email address
- description: Retrieves detailed information about a user account. The user can
- be specified by name, email address, or as an Active Directory Distinguished
- Name (DN). If no filter is specified, all users are returned.
+ description: Retrieves detailed information about a user account. The user can be specified by name, email address, or as an Active Directory Distinguished Name (DN). If no filter is specified, all users are returned.
script: '|||ad-get-user'
type: regular
iscommand: true
@@ -563,4 +554,6 @@ inputs:
outputs: []
tests:
- No tests (auto formatted)
-fromversion: 5.5.0
\ No newline at end of file
+fromversion: 5.5.0
+marketplaces:
+- xsoar
diff --git a/Packs/CortexXDR/ReleaseNotes/5_2_6.md b/Packs/CortexXDR/ReleaseNotes/5_2_6.md
new file mode 100644
index 000000000000..d037b5ff10eb
--- /dev/null
+++ b/Packs/CortexXDR/ReleaseNotes/5_2_6.md
@@ -0,0 +1,137 @@
+
+#### Scripts
+
+##### CortexXDRAdditionalAlertInformationWidget
+
+Updated the Docker image to: *demisto/python3:3.10.13.80014*.
+
+##### CortexXDRCloudProviderWidget
+
+Updated the Docker image to: *demisto/python3:3.10.13.80014*.
+
+##### CortexXDRIdentityInformationWidget
+
+Updated the Docker image to: *demisto/python3:3.10.13.80014*.
+
+##### CortexXDRInvestigationVerdict
+
+Updated the Docker image to: *demisto/python3:3.10.13.80014*.
+
+##### CortexXDRRemediationActionsWidget
+
+Updated the Docker image to: *demisto/python3:3.10.13.80014*.
+
+##### DBotGroupXDRIncidents
+
+Updated the Docker image to: *demisto/python3:3.10.13.80014*.
+
+##### EntryWidgetNumberHostsXDR
+
+Updated the Docker image to: *demisto/python3:3.10.13.80014*.
+
+##### EntryWidgetNumberRegionsXCLOUD
+
+Updated the Docker image to: *demisto/python3:3.10.13.80014*.
+
+##### EntryWidgetNumberResourcesXCLOUD
+
+Updated the Docker image to: *demisto/python3:3.10.13.80014*.
+
+##### EntryWidgetNumberUsersXDR
+
+Updated the Docker image to: *demisto/python3:3.10.13.80014*.
+
+##### EntryWidgetPieAlertsXDR
+
+Updated the Docker image to: *demisto/python3:3.10.13.80014*.
+
+##### XCloudRegionsPieWidget
+
+Updated the Docker image to: *demisto/python3:3.10.13.80014*.
+
+##### XCloudResourcesPieWidget
+
+Updated the Docker image to: *demisto/python3:3.10.13.80014*.
+
+##### XDRConnectedEndpoints
+
+Updated the Docker image to: *demisto/python3:3.10.13.80014*.
+
+##### XDRDisconnectedEndpoints
+
+Updated the Docker image to: *demisto/python3:3.10.13.80014*.
+
+
+#### Integrations
+
+##### Cortex XDR - IOC
+
+Updated the Docker image to: *demisto/python3:3.10.13.80014*.
+
+##### Cortex XDR - XQL Query Engine
+
+Updated the Docker image to: *demisto/python3:3.10.13.80014*.
+
+##### Palo Alto Networks Cortex XDR - Investigation and Response
+
+- Added the *public_ip_list* argument for the ***xdr-get-endpoints*** command.
+- Updated the Docker image to: *demisto/python3:3.10.13.80014*.
+
+
+#### Playbooks
+
+##### Cortex XDR - First SSO Access
+
+Added the Cortex XSOAR as the only marketplace where this content item can be used.
+
+##### Cortex XDR - Port Scan - Adjusted
+
+Added the Cortex XSOAR as the only marketplace where this content item can be used.
+
+##### Cortex XDR - Possible External RDP Brute-Force
+
+Added the Cortex XSOAR as the only marketplace where this content item can be used.
+
+##### Cortex XDR - PrintNightmare Detection and Response
+
+Added the Cortex XSOAR as the only marketplace where this content item can be used.
+
+##### Cortex XDR Alerts Handling
+
+Added the Cortex XSOAR as the only marketplace where this content item can be used.
+
+##### Cortex XDR Lite - Incident Handling
+
+Added the Cortex XSOAR as the only marketplace where this content item can be used.
+
+##### Cortex XDR Malware - Incident Enrichment
+
+Added the Cortex XSOAR as the only marketplace where this content item can be used.
+
+##### Cortex XDR Malware - Investigation And Response
+
+Added the Cortex XSOAR as the only marketplace where this content item can be used.
+
+##### Cortex XDR device control violations
+
+Added the Cortex XSOAR as the only marketplace where this content item can be used.
+
+##### Cortex XDR incident handling v3
+
+Added the Cortex XSOAR as the only marketplace where this content item can be used.
+
+
+#### Incident Types
+
+- **Cortex XDR - Lite**
+ - Added the Cortex XSOAR as the only marketplace where this content item can be used.
+
+- **Cortex XDR - XCLOUD Cryptomining**
+ - Added the Cortex XSOAR as the only marketplace where this content item can be used.
+
+- **Cortex XDR Device Control Violations**
+ - Added the Cortex XSOAR as the only marketplace where this content item can be used.
+
+- **Cortex XDR Incident**
+ - Added the Cortex XSOAR as the only marketplace where this content item can be used.
+
diff --git a/Packs/CortexXDR/Scripts/CortexXDRAdditionalAlertInformationWidget/CortexXDRAdditionalAlertInformationWidget.yml b/Packs/CortexXDR/Scripts/CortexXDRAdditionalAlertInformationWidget/CortexXDRAdditionalAlertInformationWidget.yml
index e8f0c6df4bfa..cc8f1d0df565 100644
--- a/Packs/CortexXDR/Scripts/CortexXDRAdditionalAlertInformationWidget/CortexXDRAdditionalAlertInformationWidget.yml
+++ b/Packs/CortexXDR/Scripts/CortexXDRAdditionalAlertInformationWidget/CortexXDRAdditionalAlertInformationWidget.yml
@@ -9,5 +9,5 @@ tags:
timeout: '0'
type: python
subtype: python3
-dockerimage: demisto/python3:3.10.12.63474
+dockerimage: demisto/python3:3.10.13.80014
fromversion: 6.0.0
diff --git a/Packs/CortexXDR/Scripts/CortexXDRCloudProviderWidget/CortexXDRCloudProviderWidget.yml b/Packs/CortexXDR/Scripts/CortexXDRCloudProviderWidget/CortexXDRCloudProviderWidget.yml
index 5faa76c4fc33..65fec6e3aa87 100644
--- a/Packs/CortexXDR/Scripts/CortexXDRCloudProviderWidget/CortexXDRCloudProviderWidget.yml
+++ b/Packs/CortexXDR/Scripts/CortexXDRCloudProviderWidget/CortexXDRCloudProviderWidget.yml
@@ -9,7 +9,7 @@ tags:
timeout: '0'
type: python
subtype: python3
-dockerimage: demisto/python3:3.10.12.63474
+dockerimage: demisto/python3:3.10.13.80014
fromversion: 6.0.0
tests:
- No tests (auto formatted)
diff --git a/Packs/CortexXDR/Scripts/CortexXDRIdentityInformationWidget/CortexXDRIdentityInformationWidget.yml b/Packs/CortexXDR/Scripts/CortexXDRIdentityInformationWidget/CortexXDRIdentityInformationWidget.yml
index 7ea0d1fcb50b..ced27b389eb1 100644
--- a/Packs/CortexXDR/Scripts/CortexXDRIdentityInformationWidget/CortexXDRIdentityInformationWidget.yml
+++ b/Packs/CortexXDR/Scripts/CortexXDRIdentityInformationWidget/CortexXDRIdentityInformationWidget.yml
@@ -9,7 +9,7 @@ tags:
timeout: '0'
type: python
subtype: python3
-dockerimage: demisto/python3:3.10.12.66339
+dockerimage: demisto/python3:3.10.13.80014
fromversion: 6.0.0
tests:
- No tests (auto formatted)
diff --git a/Packs/CortexXDR/Scripts/CortexXDRInvestigationVerdict/CortexXDRInvestigationVerdict.yml b/Packs/CortexXDR/Scripts/CortexXDRInvestigationVerdict/CortexXDRInvestigationVerdict.yml
index 74d7963528cf..248253c86c5b 100644
--- a/Packs/CortexXDR/Scripts/CortexXDRInvestigationVerdict/CortexXDRInvestigationVerdict.yml
+++ b/Packs/CortexXDR/Scripts/CortexXDRInvestigationVerdict/CortexXDRInvestigationVerdict.yml
@@ -2,7 +2,7 @@ comment: This widget displays the incident verdict based on the 'Verdict' field.
commonfields:
id: CortexXDRInvestigationVerdict
version: -1
-dockerimage: demisto/python3:3.10.13.78960
+dockerimage: demisto/python3:3.10.13.80014
enabled: true
engineinfo: {}
name: CortexXDRInvestigationVerdict
diff --git a/Packs/CortexXDR/Scripts/CortexXDRRemediationActionsWidget/CortexXDRRemediationActionsWidget.yml b/Packs/CortexXDR/Scripts/CortexXDRRemediationActionsWidget/CortexXDRRemediationActionsWidget.yml
index 49945fdb1d75..f75a4dc9aaa8 100644
--- a/Packs/CortexXDR/Scripts/CortexXDRRemediationActionsWidget/CortexXDRRemediationActionsWidget.yml
+++ b/Packs/CortexXDR/Scripts/CortexXDRRemediationActionsWidget/CortexXDRRemediationActionsWidget.yml
@@ -9,5 +9,5 @@ tags:
timeout: '0'
type: python
subtype: python3
-dockerimage: demisto/python3:3.10.12.63474
+dockerimage: demisto/python3:3.10.13.80014
fromversion: 6.0.0
diff --git a/Packs/CortexXDR/Scripts/DBotGroupXDRIncidents/DBotGroupXDRIncidents.yml b/Packs/CortexXDR/Scripts/DBotGroupXDRIncidents/DBotGroupXDRIncidents.yml
index b605bf9f76a3..f5dc578288b3 100644
--- a/Packs/CortexXDR/Scripts/DBotGroupXDRIncidents/DBotGroupXDRIncidents.yml
+++ b/Packs/CortexXDR/Scripts/DBotGroupXDRIncidents/DBotGroupXDRIncidents.yml
@@ -11,12 +11,12 @@ args:
description: 'The start date by which to filter incidents. Date format will be the same as in the incidents query page, for example: "3 days ago", ""2019-01-01T00:00:00 +0200").'
name: fromDate
- defaultValue: '500'
- description: The maximum number of incidents to fetch
+ description: The maximum number of incidents to fetch.
name: limit
- defaultValue: Cortex XDR Incident
- description: The Cortex XDR incident type
+ description: The Cortex XDR incident type.
name: incidentType
-- description: Input search query from the dashboard
+- description: Input search query from the dashboard.
name: searchQuery
- defaultValue: '24'
description: Period of time (in hours) before retraining the model. Default is "24".
@@ -47,4 +47,6 @@ type: python
tests:
- No tests (auto formatted)
fromversion: 6.2.0
-dockerimage: demisto/python3:3.10.12.63474
+dockerimage: demisto/python3:3.10.13.80014
+marketplaces:
+- xsoar
diff --git a/Packs/CortexXDR/Scripts/EntryWidgetNumberHostsXDR/EntryWidgetNumberHostsXDR.yml b/Packs/CortexXDR/Scripts/EntryWidgetNumberHostsXDR/EntryWidgetNumberHostsXDR.yml
index b8c7c6bcca1a..8f2b8eb36293 100644
--- a/Packs/CortexXDR/Scripts/EntryWidgetNumberHostsXDR/EntryWidgetNumberHostsXDR.yml
+++ b/Packs/CortexXDR/Scripts/EntryWidgetNumberHostsXDR/EntryWidgetNumberHostsXDR.yml
@@ -9,7 +9,7 @@ tags:
enabled: true
scripttarget: 0
subtype: python3
-dockerimage: demisto/python3:3.10.12.63474
+dockerimage: demisto/python3:3.10.13.80014
runas: DBotWeakRole
fromversion: 5.0.0
comment: Entry widget that returns the number of hosts in a Cortex XDR incident.
diff --git a/Packs/CortexXDR/Scripts/EntryWidgetNumberRegionsXCLOUD/EntryWidgetNumberRegionsXCLOUD.yml b/Packs/CortexXDR/Scripts/EntryWidgetNumberRegionsXCLOUD/EntryWidgetNumberRegionsXCLOUD.yml
index bd251d59f2b6..467b15328c0c 100644
--- a/Packs/CortexXDR/Scripts/EntryWidgetNumberRegionsXCLOUD/EntryWidgetNumberRegionsXCLOUD.yml
+++ b/Packs/CortexXDR/Scripts/EntryWidgetNumberRegionsXCLOUD/EntryWidgetNumberRegionsXCLOUD.yml
@@ -10,7 +10,7 @@ comment: Entry widget that returns the number of regions in a Cortex XDR inciden
enabled: true
scripttarget: 0
subtype: python3
-dockerimage: demisto/python3:3.10.12.63474
+dockerimage: demisto/python3:3.10.13.80014
runas: DBotWeakRole
fromversion: 6.5.0
tests:
diff --git a/Packs/CortexXDR/Scripts/EntryWidgetNumberResourcesXCLOUD/EntryWidgetNumberResourcesXCLOUD.yml b/Packs/CortexXDR/Scripts/EntryWidgetNumberResourcesXCLOUD/EntryWidgetNumberResourcesXCLOUD.yml
index edac1eab7044..e7c155959087 100644
--- a/Packs/CortexXDR/Scripts/EntryWidgetNumberResourcesXCLOUD/EntryWidgetNumberResourcesXCLOUD.yml
+++ b/Packs/CortexXDR/Scripts/EntryWidgetNumberResourcesXCLOUD/EntryWidgetNumberResourcesXCLOUD.yml
@@ -10,7 +10,7 @@ comment: Entry widget that returns the number of resources in a Cortex XDR incid
enabled: true
scripttarget: 0
subtype: python3
-dockerimage: demisto/python3:3.10.12.63474
+dockerimage: demisto/python3:3.10.13.80014
runas: DBotWeakRole
fromversion: 6.5.0
tests:
diff --git a/Packs/CortexXDR/Scripts/EntryWidgetNumberUsersXDR/EntryWidgetNumberUsersXDR.yml b/Packs/CortexXDR/Scripts/EntryWidgetNumberUsersXDR/EntryWidgetNumberUsersXDR.yml
index 36a75576dc98..4d8ccb9a9148 100644
--- a/Packs/CortexXDR/Scripts/EntryWidgetNumberUsersXDR/EntryWidgetNumberUsersXDR.yml
+++ b/Packs/CortexXDR/Scripts/EntryWidgetNumberUsersXDR/EntryWidgetNumberUsersXDR.yml
@@ -9,7 +9,7 @@ tags:
enabled: true
scripttarget: 0
subtype: python3
-dockerimage: demisto/python3:3.10.12.63474
+dockerimage: demisto/python3:3.10.13.80014
runas: DBotWeakRole
fromversion: 5.0.0
comment: Entry widget that returns the number of users that participated in a specified Cortex XDR incident.
diff --git a/Packs/CortexXDR/Scripts/EntryWidgetPieAlertsXDR/EntryWidgetPieAlertsXDR.yml b/Packs/CortexXDR/Scripts/EntryWidgetPieAlertsXDR/EntryWidgetPieAlertsXDR.yml
index 185c0b9142a6..010ce4de81ce 100644
--- a/Packs/CortexXDR/Scripts/EntryWidgetPieAlertsXDR/EntryWidgetPieAlertsXDR.yml
+++ b/Packs/CortexXDR/Scripts/EntryWidgetPieAlertsXDR/EntryWidgetPieAlertsXDR.yml
@@ -9,7 +9,7 @@ tags:
enabled: true
scripttarget: 0
subtype: python3
-dockerimage: demisto/python3:3.10.12.63474
+dockerimage: demisto/python3:3.10.13.80014
runas: DBotWeakRole
fromversion: 5.0.0
comment: Entry widget that returns a pie chart of alerts for a specified Cortex XDR incident by alert severity (low, medium, and high).
diff --git a/Packs/CortexXDR/Scripts/XCloudRegionsPieWidget/XCloudRegionsPieWidget.yml b/Packs/CortexXDR/Scripts/XCloudRegionsPieWidget/XCloudRegionsPieWidget.yml
index 32ef444ae524..aa0c17cbd05c 100644
--- a/Packs/CortexXDR/Scripts/XCloudRegionsPieWidget/XCloudRegionsPieWidget.yml
+++ b/Packs/CortexXDR/Scripts/XCloudRegionsPieWidget/XCloudRegionsPieWidget.yml
@@ -10,7 +10,7 @@ comment: XCLOUD dynamic section, showing the top ten regions types in a pie char
enabled: true
scripttarget: 0
subtype: python3
-dockerimage: demisto/python3:3.10.12.63474
+dockerimage: demisto/python3:3.10.13.80014
runas: DBotWeakRole
fromversion: 6.5.0
tests:
diff --git a/Packs/CortexXDR/Scripts/XCloudResourcesPieWidget/XCloudResourcesPieWidget.yml b/Packs/CortexXDR/Scripts/XCloudResourcesPieWidget/XCloudResourcesPieWidget.yml
index 354ba2ea2a6e..7538e207733d 100644
--- a/Packs/CortexXDR/Scripts/XCloudResourcesPieWidget/XCloudResourcesPieWidget.yml
+++ b/Packs/CortexXDR/Scripts/XCloudResourcesPieWidget/XCloudResourcesPieWidget.yml
@@ -10,7 +10,7 @@ comment: XCLOUD dynamic section, showing the top ten resource types in a pie cha
enabled: true
scripttarget: 0
subtype: python3
-dockerimage: demisto/python3:3.10.12.63474
+dockerimage: demisto/python3:3.10.13.80014
runas: DBotWeakRole
fromversion: 6.5.0
tests:
diff --git a/Packs/CortexXDR/Scripts/XDRConnectedEndpoints/XDRConnectedEndpoints.yml b/Packs/CortexXDR/Scripts/XDRConnectedEndpoints/XDRConnectedEndpoints.yml
index 56c22bf5a26e..fdeee42c01cf 100644
--- a/Packs/CortexXDR/Scripts/XDRConnectedEndpoints/XDRConnectedEndpoints.yml
+++ b/Packs/CortexXDR/Scripts/XDRConnectedEndpoints/XDRConnectedEndpoints.yml
@@ -17,7 +17,7 @@ args:
defaultValue: '100'
scripttarget: 0
subtype: python3
-dockerimage: demisto/python3:3.10.12.63474
+dockerimage: demisto/python3:3.10.13.80014
runas: DBotWeakRole
comment: The widget returns the number of the connected endpoints using xdr-get-endpoints command.
fromversion: 6.0.0
diff --git a/Packs/CortexXDR/Scripts/XDRDisconnectedEndpoints/XDRDisconnectedEndpoints.yml b/Packs/CortexXDR/Scripts/XDRDisconnectedEndpoints/XDRDisconnectedEndpoints.yml
index 7dc01b369654..9c8ee43e6747 100644
--- a/Packs/CortexXDR/Scripts/XDRDisconnectedEndpoints/XDRDisconnectedEndpoints.yml
+++ b/Packs/CortexXDR/Scripts/XDRDisconnectedEndpoints/XDRDisconnectedEndpoints.yml
@@ -17,7 +17,7 @@ args:
defaultValue: '100'
scripttarget: 0
subtype: python3
-dockerimage: demisto/python3:3.10.12.63474
+dockerimage: demisto/python3:3.10.13.80014
runas: DBotWeakRole
comment: The widget returns the number of the disconnected endpoints using xdr-get-endpoints command.
fromversion: 6.0.0
diff --git a/Packs/CortexXDR/pack_metadata.json b/Packs/CortexXDR/pack_metadata.json
index 396a5e4cda4a..f5b0e58cef6c 100644
--- a/Packs/CortexXDR/pack_metadata.json
+++ b/Packs/CortexXDR/pack_metadata.json
@@ -2,7 +2,7 @@
"name": "Cortex XDR by Palo Alto Networks",
"description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.",
"support": "xsoar",
- "currentVersion": "5.2.5",
+ "currentVersion": "5.2.6",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
@@ -77,7 +77,8 @@
}
},
"marketplaces": [
- "xsoar"
+ "xsoar",
+ "xpanse"
],
"displayedImages": [
"ServiceNow",
diff --git a/Packs/ctf01/.pack-ignore b/Packs/ctf01/.pack-ignore
index ca5bca99b3b5..58dae853f8e1 100644
--- a/Packs/ctf01/.pack-ignore
+++ b/Packs/ctf01/.pack-ignore
@@ -14,4 +14,7 @@ ignore=IF113
[file:OHMYVTCTF_image.png]
ignore=IM111
+[known_words]
+CTF
+
[file:CortexXDRIR.yml]
diff --git a/Packs/ctf01/ReleaseNotes/1_0_2.md b/Packs/ctf01/ReleaseNotes/1_0_2.md
new file mode 100644
index 000000000000..46cd450afb0c
--- /dev/null
+++ b/Packs/ctf01/ReleaseNotes/1_0_2.md
@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Cortex XDR - IR CTF
+
+Internal maintenance.
diff --git a/Packs/ctf01/pack_metadata.json b/Packs/ctf01/pack_metadata.json
index fc615c83654c..d71427ce5358 100644
--- a/Packs/ctf01/pack_metadata.json
+++ b/Packs/ctf01/pack_metadata.json
@@ -2,7 +2,7 @@
"name": "Capture The Flag - 01",
"description": "XSOAR's Capture the flag (CTF)",
"support": "xsoar",
- "currentVersion": "1.0.1",
+ "currentVersion": "1.0.2",
"serverMinVersion": "8.2.0",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
diff --git a/Tests/conf.json b/Tests/conf.json
index 97b320740ee3..9a69a5307690 100644
--- a/Tests/conf.json
+++ b/Tests/conf.json
@@ -5070,7 +5070,8 @@
"integrations": "Cortex XDR - XQL Query Engine",
"playbookID": "Cortex XDR - XQL Query - Test",
"fromversion": "6.2.0",
- "memory_threshold": 90
+ "memory_threshold": 90,
+ "timeout": 500
},
{
"playbookID": "ListUsedDockerImages - Test",