diff --git a/Packs/ApiModules/ReleaseNotes/2_2_21.md b/Packs/ApiModules/ReleaseNotes/2_2_21.md
new file mode 100644
index 000000000000..2ca2d5cb8e1d
--- /dev/null
+++ b/Packs/ApiModules/ReleaseNotes/2_2_21.md
@@ -0,0 +1,4 @@
+
+#### Scripts
+##### CoreIRApiModule
+Added the *public_ip_list* argument for the ***get_endpoints()*** API call.
\ No newline at end of file
diff --git a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py
index 2d25dfe222c2..8314009c9f67 100644
--- a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py
+++ b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.py
@@ -152,6 +152,7 @@ def get_endpoints(self,
endpoint_id_list=None,
dist_name=None,
ip_list=None,
+ public_ip_list=None,
group_name=None,
platform=None,
alias_name=None,
@@ -181,7 +182,7 @@ def get_endpoints(self,
status=status, username=username, endpoint_id_list=endpoint_id_list, dist_name=dist_name,
ip_list=ip_list, group_name=group_name, platform=platform, alias_name=alias_name, isolate=isolate,
hostname=hostname, first_seen_gte=first_seen_gte, first_seen_lte=first_seen_lte,
- last_seen_gte=last_seen_gte, last_seen_lte=last_seen_lte
+ last_seen_gte=last_seen_gte, last_seen_lte=last_seen_lte, public_ip_list=public_ip_list
)
if search_from:
@@ -1809,6 +1810,7 @@ def get_endpoints_command(client, args):
endpoint_id_list = argToList(args.get('endpoint_id_list'))
dist_name = argToList(args.get('dist_name'))
ip_list = argToList(args.get('ip_list'))
+ public_ip_list = argToList(args.get('public_ip_list'))
group_name = argToList(args.get('group_name'))
platform = argToList(args.get('platform'))
alias_name = argToList(args.get('alias_name'))
@@ -1845,6 +1847,7 @@ def get_endpoints_command(client, args):
endpoint_id_list=endpoint_id_list,
dist_name=dist_name,
ip_list=ip_list,
+ public_ip_list=public_ip_list,
group_name=group_name,
platform=platform,
alias_name=alias_name,
@@ -3454,6 +3457,7 @@ def create_request_filters(
endpoint_id_list: Optional[List] = None,
dist_name: Optional[List] = None,
ip_list: Optional[List] = None,
+ public_ip_list: Optional[List] = None,
group_name: Optional[List] = None,
platform: Optional[List] = None,
alias_name: Optional[List] = None,
@@ -3502,6 +3506,13 @@ def create_request_filters(
'value': ip_list
})
+ if public_ip_list:
+ filters.append({
+ 'field': 'public_ip_list',
+ 'operator': 'in',
+ 'value': public_ip_list
+ })
+
if group_name:
filters.append({
'field': 'group_name',
diff --git a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.yml b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.yml
index 3edb30b83f03..616cda231ca8 100644
--- a/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.yml
+++ b/Packs/ApiModules/Scripts/CoreIRApiModule/CoreIRApiModule.yml
@@ -12,5 +12,7 @@ comment: Common Core IR Client, provides generic Infrastructure.
scripttarget: 0
dependson: {}
timeout: 0s
-dockerimage: demisto/python3:3.10.1.27636
+dockerimage: demisto/python3:3.10.13.78960
fromversion: 5.0.0
+tests:
+- No tests (auto formatted)
diff --git a/Packs/ApiModules/pack_metadata.json b/Packs/ApiModules/pack_metadata.json
index 3fb471e15894..940629929a27 100644
--- a/Packs/ApiModules/pack_metadata.json
+++ b/Packs/ApiModules/pack_metadata.json
@@ -2,7 +2,7 @@
"name": "ApiModules",
"description": "API Modules",
"support": "xsoar",
- "currentVersion": "2.2.20",
+ "currentVersion": "2.2.21",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
@@ -13,6 +13,7 @@
"keywords": [],
"marketplaces": [
"xsoar",
- "marketplacev2"
+ "marketplacev2",
+ "xpanse"
]
}
\ No newline at end of file
diff --git a/Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.yml b/Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.yml
index 68217c56db9b..3fbb9f7da0dc 100644
--- a/Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.yml
+++ b/Packs/Core/Integrations/CortexCoreIR/CortexCoreIR.yml
@@ -100,19 +100,24 @@ script:
isArray: true
name: dist_name
- description: |-
- A comma-separated list of IP addresses.
- Example: 8.8.8.8,1.1.1.1.
+ A comma-separated list of private IP addresses.
+ Example: 10.1.1.1,192.168.1.1.
isArray: true
name: ip_list
+ - description: |-
+ A comma-separated list of public IP addresses that correlate to the last IPv4 address from which the XDR agent connected (know as `Last Origin IP`).
+ Example: 8.8.8.8,1.1.1.1.
+ isArray: true
+ name: public_ip_list
- description: |-
The group name to which the agent belongs.
Example: group_name1,group_name2.
isArray: true
name: group_name
- - auto: PREDEFINED
- description: 'The endpoint platform. Valid values are\: "windows", "linux", "macos", or "android". '
+ - description: 'The endpoint platform. Valid values are\: "windows", "linux", "macos", or "android". '
isArray: true
name: platform
+ auto: PREDEFINED
predefined:
- windows
- linux
@@ -121,19 +126,20 @@ script:
- description: |-
A comma-separated list of alias names.
Examples: alias_name1,alias_name2.
- isArray: true
name: alias_name
- - auto: PREDEFINED
- description: Specifies whether the endpoint was isolated or unisolated.
+ isArray: true
+ - description: |-
+ Specifies whether the endpoint was isolated or unisolated.
name: isolate
+ auto: PREDEFINED
predefined:
- isolated
- unisolated
- description: |-
Hostname
Example: hostname1,hostname2.
- isArray: true
name: hostname
+ isArray: true
- description: |-
All the agents that were first seen after {first_seen_gte}.
Supported values:
@@ -165,9 +171,9 @@ script:
- defaultValue: '0'
description: Page number (for pagination). The default is 0 (the first page).
name: page
- - defaultValue: '30'
- description: Maximum number of endpoints to return per page. The default and maximum is 30.
+ - description: Maximum number of endpoints to return per page. The default and maximum is 30.
name: limit
+ defaultValue: '30'
- auto: PREDEFINED
description: Specifies whether to sort endpoints by the first time or last time they were seen. Can be "first_seen" or "last_seen".
name: sort_by
@@ -175,16 +181,16 @@ script:
- first_seen
- last_seen
- auto: PREDEFINED
- defaultValue: asc
description: The order by which to sort results. Can be "asc" (ascending) or "desc" ( descending). Default set to asc.
name: sort_order
predefined:
- asc
- desc
- - auto: PREDEFINED
+ defaultValue: asc
+ - name: status
description: A comma-separated list of endpoints statuses to filter.
- name: status
isArray: true
+ auto: PREDEFINED
predefined:
- connected
- disconnected
diff --git a/Packs/Core/Integrations/CortexCoreIR/README.md b/Packs/Core/Integrations/CortexCoreIR/README.md
index 75ebd36bf82e..31a4ab82d313 100644
--- a/Packs/Core/Integrations/CortexCoreIR/README.md
+++ b/Packs/Core/Integrations/CortexCoreIR/README.md
@@ -84,7 +84,8 @@ Gets a list of endpoints, according to the passed filters. If there are no filte
| --- | --- | --- |
| endpoint_id_list | A comma-separated list of endpoint IDs. | Optional |
| dist_name | A comma-separated list of distribution package names or installation package names.
Example: dist_name1,dist_name2. | Optional |
-| ip_list | A comma-separated list of IP addresses.
Example: 8.8.8.8,1.1.1.1. | Optional |
+| ip_list | A comma-separated list of private IP addresses.
Example: 10.1.1.1,192.168.1.1. | Optional |
+| public_ip_list | A comma-separated list of public IP addresses that correlate to the last IPv4 address from which the XDR agent connected (know as `Last Origin IP`).
Example: 8.8.8.8,1.1.1.1. | Optional |
| group_name | The group name to which the agent belongs.
Example: group_name1,group_name2. | Optional |
| platform | The endpoint platform. Valid values are\: "windows", "linux", "macos", or "android". . Possible values are: windows, linux, macos, android. | Optional |
| alias_name | A comma-separated list of alias names.
Examples: alias_name1,alias_name2. | Optional |
diff --git a/Packs/Core/ReleaseNotes/2_1_1.md b/Packs/Core/ReleaseNotes/2_1_1.md
new file mode 100644
index 000000000000..d1883fc06437
--- /dev/null
+++ b/Packs/Core/ReleaseNotes/2_1_1.md
@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### Investigation & Response
+
+Added the *public_ip_list* argument for the ***core-get-endpoints*** command.
diff --git a/Packs/Core/pack_metadata.json b/Packs/Core/pack_metadata.json
index 736e2acfbfe8..1bb9df41edc1 100644
--- a/Packs/Core/pack_metadata.json
+++ b/Packs/Core/pack_metadata.json
@@ -2,7 +2,7 @@
"name": "Core - Investigation and Response",
"description": "Automates incident response",
"support": "xsoar",
- "currentVersion": "2.1.0",
+ "currentVersion": "2.1.1",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
diff --git a/Packs/CortexXDR/IncidentTypes/Cortex_XDR_Incident.json b/Packs/CortexXDR/IncidentTypes/Cortex_XDR_Incident.json
index c1ad3baa0804..d126b194ec34 100644
--- a/Packs/CortexXDR/IncidentTypes/Cortex_XDR_Incident.json
+++ b/Packs/CortexXDR/IncidentTypes/Cortex_XDR_Incident.json
@@ -21,5 +21,8 @@
"weeks": 0,
"weeksR": 0,
"fromVersion": "6.0.0",
- "layout": "Cortex XDR Incident"
+ "layout": "Cortex XDR Incident",
+ "marketplaces": [
+ "xsoar"
+ ]
}
diff --git a/Packs/CortexXDR/IncidentTypes/Cortex_XDR_Incident_5_9_9.json b/Packs/CortexXDR/IncidentTypes/Cortex_XDR_Incident_5_9_9.json
index 00f9ed5fab9d..ff68d7b15771 100644
--- a/Packs/CortexXDR/IncidentTypes/Cortex_XDR_Incident_5_9_9.json
+++ b/Packs/CortexXDR/IncidentTypes/Cortex_XDR_Incident_5_9_9.json
@@ -22,5 +22,8 @@
"weeksR": 0,
"fromVersion": "5.0.0",
"toVersion": "5.9.9",
- "layout": "Cortex XDR Incident"
+ "layout": "Cortex XDR Incident",
+ "marketplaces": [
+ "xsoar"
+ ]
}
diff --git a/Packs/CortexXDR/IncidentTypes/incidenttype-Cortex_XDR_-_XCLOUD_Cryptomining.json b/Packs/CortexXDR/IncidentTypes/incidenttype-Cortex_XDR_-_XCLOUD_Cryptomining.json
index 3f01e48c6d95..d8cfc744e5ab 100644
--- a/Packs/CortexXDR/IncidentTypes/incidenttype-Cortex_XDR_-_XCLOUD_Cryptomining.json
+++ b/Packs/CortexXDR/IncidentTypes/incidenttype-Cortex_XDR_-_XCLOUD_Cryptomining.json
@@ -26,5 +26,8 @@
"mode": "Specific",
"fieldCliNameToExtractSettings": {}
},
- "fromVersion": "6.5.0"
+ "fromVersion": "6.5.0",
+ "marketplaces": [
+ "xsoar"
+ ]
}
\ No newline at end of file
diff --git a/Packs/CortexXDR/IncidentTypes/incidenttype-XDR_Device_Control_Violations.json b/Packs/CortexXDR/IncidentTypes/incidenttype-XDR_Device_Control_Violations.json
index 2317ab12c398..95dd07f0116a 100644
--- a/Packs/CortexXDR/IncidentTypes/incidenttype-XDR_Device_Control_Violations.json
+++ b/Packs/CortexXDR/IncidentTypes/incidenttype-XDR_Device_Control_Violations.json
@@ -18,5 +18,8 @@
"version": -1,
"weeks": 0,
"weeksR": 0,
- "fromVersion": "5.5.0"
+ "fromVersion": "5.5.0",
+ "marketplaces": [
+ "xsoar"
+ ]
}
diff --git a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml
index fec44ddd3f41..0825d40a6420 100644
--- a/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml
+++ b/Packs/CortexXDR/Integrations/CortexXDRIR/CortexXDRIR.yml
@@ -777,10 +777,15 @@ script:
isArray: true
name: dist_name
- description: |-
- A comma-separated list of IP addresses.
- Example: 8.8.8.8,1.1.1.1.
+ A comma-separated list of private IP addresses.
+ Example: 10.1.1.1,192.168.1.1.
isArray: true
name: ip_list
+ - description: |-
+ A comma-separated list of public IP addresses that correlate to the last IPv4 address from which the XDR agent connected (know as `Last Origin IP`).
+ Example: 8.8.8.8,1.1.1.1.
+ isArray: true
+ name: public_ip_list
- description: |-
The group name to which the agent belongs.
Example: group_name1,group_name2.
@@ -798,19 +803,20 @@ script:
- description: |-
A comma-separated list of alias names.
Examples: alias_name1,alias_name2.
- isArray: true
name: alias_name
- - auto: PREDEFINED
- description: Specifies whether the endpoint was isolated or unisolated.
+ isArray: true
+ - description: |-
+ Specifies whether the endpoint was isolated or unisolated.
name: isolate
+ auto: PREDEFINED
predefined:
- isolated
- unisolated
- description: |-
Hostname
Example: hostname1,hostname2.
- isArray: true
name: hostname
+ isArray: true
- description: |-
All the agents that were first seen after {first_seen_gte}.
Supported values:
@@ -842,19 +848,19 @@ script:
- defaultValue: '0'
description: Page number (for pagination). The default is 0 (the first page).
name: page
- - defaultValue: '30'
- description: Maximum number of endpoints to return per page. The default and maximum is 30.
+ - description: Maximum number of endpoints to return per page. The default and maximum is 30.
name: limit
+ defaultValue: '30'
- auto: PREDEFINED
description: Specifies whether to sort endpoints by the first time or last time they were seen. Can be "first_seen" or "last_seen".
name: sort_by
predefined:
- first_seen
- last_seen
- - auto: PREDEFINED
- defaultValue: asc
+ - name: sort_order
description: The order by which to sort results. Can be "asc" (ascending) or "desc" ( descending). Default set to asc.
- name: sort_order
+ auto: PREDEFINED
+ defaultValue: asc
predefined:
- asc
- desc
@@ -2728,8 +2734,8 @@ script:
auto: PREDEFINED
defaultValue: 'true'
predefined:
- - 'true'
- - 'false'
+ - 'true'
+ - 'false'
description: Returns information about each alert ID.
name: xdr-get-cloud-original-alerts
outputs:
diff --git a/Packs/CortexXDR/Integrations/CortexXDRIR/README.md b/Packs/CortexXDR/Integrations/CortexXDRIR/README.md
index 4e6a1d958011..fa6521926572 100644
--- a/Packs/CortexXDR/Integrations/CortexXDRIR/README.md
+++ b/Packs/CortexXDR/Integrations/CortexXDRIR/README.md
@@ -689,7 +689,8 @@ Builtin Roles with this permission includes: "Privileged Responder", "Viewer" an
| status | A comma-separated list of endpoints statuses to filter. Valid values are: connected, disconnected, lost, uninstalled, windows, linux, macos, android, isolated, unisolated. | Optional |
| endpoint_id_list | A comma-separated list of endpoint IDs. | Optional |
| dist_name | A comma-separated list of distribution package names or installation package names.
Example: dist_name1,dist_name2. | Optional |
-| ip_list | A comma-separated list of IP addresses.
Example: 8.8.8.8,1.1.1.1. | Optional |
+| ip_list | A comma-separated list of private IP addresses.
Example: Example: 10.1.1.1,192.168.1.1. | Optional |
+| public_ip_list | A comma-separated list of public IP addresses that correlate to the last IPv4 address from which the XDR agent connected (know as `Last Origin IP`).
Example: 8.8.8.8,1.1.1.1. | Optional |
| group_name | The group name to which the agent belongs.
Example: group_name1,group_name2. | Optional |
| platform | The endpoint platform. Valid values are\: "windows", "linux", "macos", or "android". . Possible values are: windows, linux, macos, android. | Optional |
| alias_name | A comma-separated list of alias names.
Examples: alias_name1,alias_name2. | Optional |
diff --git a/Packs/CortexXDR/Playbooks/Cortex_XDR_-_Port_Scan_-_Adjusted.yml b/Packs/CortexXDR/Playbooks/Cortex_XDR_-_Port_Scan_-_Adjusted.yml
index 2035b3a73ef1..28f15d9485b6 100644
--- a/Packs/CortexXDR/Playbooks/Cortex_XDR_-_Port_Scan_-_Adjusted.yml
+++ b/Packs/CortexXDR/Playbooks/Cortex_XDR_-_Port_Scan_-_Adjusted.yml
@@ -1,7 +1,7 @@
id: Cortex XDR - Port Scan - Adjusted
version: -1
name: Cortex XDR - Port Scan - Adjusted
-description: "The playbook investigates Cortex XDR incidents involving port scan alerts. The playbook is designed to run as a sub-playbook of ‘Cortex XDR Alerts Handling’. \n\nThe playbook consists of the following procedures:\n- Enrichment and investigation of the scanner and scanned hostname and IP address.\n- Enrichment and investigation of the initiator user, process, file, or command if it exists.\n- Detection of related indicators and analysis of the relationship between the detected indicators.\n- Utilize the detected indicators to conduct threat hunting.\n- Blocks detected malicious indicators.\n- Endpoint isolation.\n\nThis playbook supports the following Cortex XDR alert names:\n- Suspicious port scan\n- Port scan by suspicious process\n- Highly suspicious port scan\n- Port scan"
+description: "The playbook investigates Cortex XDR incidents involving port scan alerts. The playbook is designed to run as a sub-playbook of ‘Cortex XDR Alerts Handling’. \n\nThe playbook consists of the following procedures:\n- Enrichment and investigation of the scanner and scanned hostname and IP address.\n- Enrichment and investigation of the initiator user, process, file, or command if it exists.\n- Detection of related indicators and analysis of the relationship between the detected indicators.\n- Utilize the detected indicators to conduct threat hunting.\n- Blocks detected malicious indicators.\n- Endpoint isolation.\n\nThis playbook supports the following Cortex XDR alert names:\n- Suspicious port scan\n- Port scan by suspicious process\n- Highly suspicious port scan\n- Port scan."
starttaskid: "0"
tasks:
"0":
@@ -2755,7 +2755,7 @@ outputs:
description: Lateral Movement First Date time from the port scan alert.
type: unknown
- contextPath: PortScan.PortScanFirstDatetime
- description: Port Scan First Date time
+ description: Port Scan First Date time.
type: unknown
tests:
- Test XDR Playbook general commands
@@ -2764,3 +2764,5 @@ tests:
fromversion: 5.0.0
contentitemexportablefields:
contentitemfields: {}
+marketplaces:
+- xsoar
diff --git a/Packs/CortexXDR/Playbooks/Cortex_XDR_Alerts_Handling.yml b/Packs/CortexXDR/Playbooks/Cortex_XDR_Alerts_Handling.yml
index 4b44b94483ec..acf9787cb5f2 100644
--- a/Packs/CortexXDR/Playbooks/Cortex_XDR_Alerts_Handling.yml
+++ b/Packs/CortexXDR/Playbooks/Cortex_XDR_Alerts_Handling.yml
@@ -3,7 +3,7 @@ version: -1
contentitemexportablefields:
contentitemfields: {}
name: Cortex XDR Alerts Handling
-description: "This playbook is used to loop over every alert in a Cortex XDR incident. \nSupported alert categories:\n- Malware\n- Port Scan\n- Cloud Cryptojacking\n- Cloud Token Theft\n- RDP Brute-Force\n- First SSO Access\n- Cloud IAM User Access Investigation"
+description: "This playbook is used to loop over every alert in a Cortex XDR incident. \nSupported alert categories:\n- Malware\n- Port Scan\n- Cloud Cryptojacking\n- Cloud Token Theft\n- RDP Brute-Force\n- First SSO Access\n- Cloud IAM User Access Investigation."
starttaskid: "0"
tasks:
"0":
@@ -237,8 +237,7 @@ tasks:
id: 12258730-025a-4931-8da9-9f68bfb6a32c
version: -1
name: Cortex XDR - get incident extra data
- description: Returns additional data for the specified incident, for example,
- related alerts, file artifacts, network artifacts, and so on.
+ description: Returns additional data for the specified incident, for example, related alerts, file artifacts, network artifacts, and so on.
script: Cortex XDR - IR|||xdr-get-incident-extra-data
type: regular
iscommand: true
@@ -1371,8 +1370,7 @@ outputs:
- contextPath: PaloAltoNetworksXDR.Incident.alerts.name
description: Calculated name of the alert.
- contextPath: PaloAltoNetworksXDR.Incident.alerts.category
- description: Category of the alert, for example, Spyware Detected via Anti-Spyware
- profile.
+ description: Category of the alert, for example, Spyware Detected via Anti-Spyware profile.
- contextPath: PaloAltoNetworksXDR.Incident.alerts.host_ip
description: Host IP involved in the alert.
- contextPath: PaloAltoNetworksXDR.Incident.alerts.host_name
@@ -1380,38 +1378,17 @@ outputs:
- contextPath: PaloAltoNetworksXDR.Incident.alerts.user_name
description: User name involved with the alert.
- contextPath: PaloAltoNetworksXDR.Incident.alerts.event_type
- description: 'Event type: "Process Execution","Network Event","File Event","Registry
- Event","Injection Event","Load Image Event","Windows Event Log".'
+ description: 'Event type: "Process Execution","Network Event","File Event","Registry Event","Injection Event","Load Image Event","Windows Event Log".'
- contextPath: PaloAltoNetworksXDR.Incident.alerts.action
- description: 'The action that triggered the alert. "REPORTED", "BLOCKED", "POST_DETECTED",
- "SCANNED", "DOWNLOAD", "PROMPT_ALLOW", "PROMPT_BLOCK", "DETECTED", "BLOCKED_1",
- "BLOCKED_2", "BLOCKED_3", "BLOCKED_5", "BLOCKED_6", "BLOCKED_7", "BLOCKED_8",
- "BLOCKED_9", "BLOCKED_10", "BLOCKED_11", "BLOCKED_13", "BLOCKED_14", "BLOCKED_15",
- "BLOCKED_16", "BLOCKED_17", "BLOCKED_24", "BLOCKED_25", "DETECTED_0", "DETECTED_4",
- "DETECTED_18", "DETECTED_19", "DETECTED_20", "DETECTED_21", "DETECTED_22", "DETECTED_23".'
+ description: 'The action that triggered the alert. "REPORTED", "BLOCKED", "POST_DETECTED", "SCANNED", "DOWNLOAD", "PROMPT_ALLOW", "PROMPT_BLOCK", "DETECTED", "BLOCKED_1", "BLOCKED_2", "BLOCKED_3", "BLOCKED_5", "BLOCKED_6", "BLOCKED_7", "BLOCKED_8", "BLOCKED_9", "BLOCKED_10", "BLOCKED_11", "BLOCKED_13", "BLOCKED_14", "BLOCKED_15", "BLOCKED_16", "BLOCKED_17", "BLOCKED_24", "BLOCKED_25", "DETECTED_0", "DETECTED_4", "DETECTED_18", "DETECTED_19", "DETECTED_20", "DETECTED_21", "DETECTED_22", "DETECTED_23".'
- contextPath: PaloAltoNetworksXDR.Incident.alerts.action_pretty
- description: 'The action that triggered the alert: "Detected (Reported)" "Prevented
- (Blocked)" "Detected (Post Detected)" "Detected (Scanned)" "Detected (Download)"
- "Detected (Prompt Allow)" "Prevented (Prompt Block)" "Detected" "Prevented (Denied
- The Session)" "Prevented (Dropped The Session)" "Prevented (Dropped The Session
- And Sent a TCP Reset)" "Prevented (Blocked The URL)" "Prevented (Blocked The IP)"
- "Prevented (Dropped The Packet)" "Prevented (Dropped All Packets)" "Prevented
- (Terminated The Session And Sent a TCP Reset To Both Sides Of The Connection)"
- "Prevented (Terminated The Session And Sent a TCP Reset To The Client)" "Prevented
- (Terminated The Session And Sent a TCP Reset To The Server)" "Prevented (Continue)"
- "Prevented (Block-Override)" "Prevented (Override-Lockout)" "Prevented (Override)"
- "Prevented (Random-Drop)" "Prevented (Silently Dropped The Session With An ICMP
- Unreachable Message To The Host Or Application)" "Prevented (Block)" "Detected
- (Allowed The Session)" "Detected (Raised An Alert)" "Detected (Syncookie Sent)"
- "Detected (Forward)" "Detected (Wildfire Upload Success)" "Detected (Wildfire
- Upload Failure)" "Detected (Wildfire Upload Skip)" "Detected (Sinkhole)".'
+ description: 'The action that triggered the alert: "Detected (Reported)" "Prevented (Blocked)" "Detected (Post Detected)" "Detected (Scanned)" "Detected (Download)" "Detected (Prompt Allow)" "Prevented (Prompt Block)" "Detected" "Prevented (Denied The Session)" "Prevented (Dropped The Session)" "Prevented (Dropped The Session And Sent a TCP Reset)" "Prevented (Blocked The URL)" "Prevented (Blocked The IP)" "Prevented (Dropped The Packet)" "Prevented (Dropped All Packets)" "Prevented (Terminated The Session And Sent a TCP Reset To Both Sides Of The Connection)" "Prevented (Terminated The Session And Sent a TCP Reset To The Client)" "Prevented (Terminated The Session And Sent a TCP Reset To The Server)" "Prevented (Continue)" "Prevented (Block-Override)" "Prevented (Override-Lockout)" "Prevented (Override)" "Prevented (Random-Drop)" "Prevented (Silently Dropped The Session With An ICMP Unreachable Message To The Host Or Application)" "Prevented (Block)" "Detected (Allowed The Session)" "Detected (Raised An Alert)" "Detected (Syncookie Sent)" "Detected (Forward)" "Detected (Wildfire Upload Success)" "Detected (Wildfire Upload Failure)" "Detected (Wildfire Upload Skip)" "Detected (Sinkhole)".'
- contextPath: PaloAltoNetworksXDR.Incident.alerts.actor_process_image_name
description: Image name.
- contextPath: PaloAltoNetworksXDR.Incident.alerts.actor_process_command_line
description: Command line.
- contextPath: PaloAltoNetworksXDR.Incident.alerts.actor_process_signature_status
- description: 'Signature status: "Signed" "Invalid Signature" "Unsigned" "Revoked"
- "Signature Fail" "N/A" "Weak Hash".'
+ description: 'Signature status: "Signed" "Invalid Signature" "Unsigned" "Revoked" "Signature Fail" "N/A" "Weak Hash".'
- contextPath: PaloAltoNetworksXDR.Incident.alerts.actor_process_signature_vendor
description: Signature vendor name.
- contextPath: PaloAltoNetworksXDR.Incident.alerts.action_process_image_sha256
@@ -1423,31 +1400,27 @@ outputs:
- contextPath: PaloAltoNetworksXDR.Incident.network_artifacts.network_domain
description: The domain related to the artifact.
- contextPath: PaloAltoNetworksXDR.Incident.network_artifacts.network_country
- description: The country related to the artifact
+ description: The country related to the artifact.
- contextPath: PaloAltoNetworksXDR.Incident.network_artifacts.network_remote_ip
description: The remote IP related to the artifact.
- contextPath: PaloAltoNetworksXDR.Incident.file_artifacts.file_signature_status
- description: 'Digital signature status of the file: "SIGNATURE_UNAVAILABLE", "SIGNATURE_SIGNED",
- "SIGNATURE_INVALID", "SIGNATURE_UNSIGNED", "SIGNATURE_WEAK_HASH".'
+ description: 'Digital signature status of the file: "SIGNATURE_UNAVAILABLE", "SIGNATURE_SIGNED", "SIGNATURE_INVALID", "SIGNATURE_UNSIGNED", "SIGNATURE_WEAK_HASH".'
- contextPath: PaloAltoNetworksXDR.Incident.file_artifacts.is_process
description: Whether the file artifact is related to a process execution.
- contextPath: PaloAltoNetworksXDR.Incident.file_artifacts.file_name
description: Name of the file.
- contextPath: PaloAltoNetworksXDR.Incident.file_artifacts.file_wildfire_verdict
- description: 'The file verdict, calculated by Wildfire: "BENIGN", "MALWARE", "GRAYWARE",
- "PHISHING", "UNKNOWN".'
+ description: 'The file verdict, calculated by Wildfire: "BENIGN", "MALWARE", "GRAYWARE", "PHISHING", "UNKNOWN".'
- contextPath: PaloAltoNetworksXDR.Incident.file_artifacts.is_malicious
description: Whether the artifact is malicious, decided by the Wildfire verdict.
- contextPath: PaloAltoNetworksXDR.Incident.file_artifacts.type
- description: 'The artifact type: "META", "GID", "CID", "HASH", "IP", "DOMAIN", "REGISTRY",
- "HOSTNAME".'
+ description: 'The artifact type: "META", "GID", "CID", "HASH", "IP", "DOMAIN", "REGISTRY", "HOSTNAME".'
- contextPath: PaloAltoNetworksXDR.Incident.file_artifacts.file_sha256
description: SHA256 hash of the file.
- contextPath: PaloAltoNetworksXDR.Incident.file_artifacts.file_signature_vendor_name
description: File signature vendor name.
- contextPath: PortScan.BlockPorts
- description: Indicates whether there's a need to block the ports used for exploitation
- on the scanned host.
+ description: Indicates whether there's a need to block the ports used for exploitation on the scanned host.
type: unknown
- contextPath: PortScan.AttackerIPs
description: Attacker IPs from the port scan alert.
@@ -1473,3 +1446,5 @@ outputs:
tests:
- No tests (auto formatted)
fromversion: 5.0.0
+marketplaces:
+- xsoar
diff --git a/Packs/CortexXDR/Playbooks/Cortex_XDR_incident_handling_v3_6_5.yml b/Packs/CortexXDR/Playbooks/Cortex_XDR_incident_handling_v3_6_5.yml
index 7b0978cd44db..2ba8db356293 100644
--- a/Packs/CortexXDR/Playbooks/Cortex_XDR_incident_handling_v3_6_5.yml
+++ b/Packs/CortexXDR/Playbooks/Cortex_XDR_incident_handling_v3_6_5.yml
@@ -2097,3 +2097,5 @@ tests:
fromversion: 6.5.0
contentitemexportablefields:
contentitemfields: {}
+marketplaces:
+- xsoar
diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_First_SSO_Access.yml b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_First_SSO_Access.yml
index cb9146354164..1aee8f4d40d8 100644
--- a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_First_SSO_Access.yml
+++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_First_SSO_Access.yml
@@ -2177,3 +2177,5 @@ fromversion: 6.8.0
contentitemexportablefields:
contentitemfields: {}
system: true
+marketplaces:
+- xsoar
diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Possible_External_RDP_Brute-Force.yml b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Possible_External_RDP_Brute-Force.yml
index 26f77cac1237..57f491c1b707 100644
--- a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Possible_External_RDP_Brute-Force.yml
+++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Possible_External_RDP_Brute-Force.yml
@@ -3125,3 +3125,5 @@ tests:
fromversion: 6.8.0
contentitemexportablefields:
contentitemfields: {}
+marketplaces:
+- xsoar
diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_PrintNightmare_Detection_and_Response_6_5.yml b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_PrintNightmare_Detection_and_Response_6_5.yml
index c90cfbecfc25..31de99b6aa97 100644
--- a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_PrintNightmare_Detection_and_Response_6_5.yml
+++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_PrintNightmare_Detection_and_Response_6_5.yml
@@ -93,8 +93,7 @@ tasks:
id: 6858b2fe-7399-44d8-894a-68f05cd01cad
version: -1
name: Cortex XDR - Isolate Endpoint
- description: This playbook accepts an XDR endpoint ID and isolates it using
- the 'Palo Alto Networks Cortex XDR - Investigation and Response' integration.
+ description: This playbook accepts an XDR endpoint ID and isolates it using the 'Palo Alto Networks Cortex XDR - Investigation and Response' integration.
playbookName: Cortex XDR - Isolate Endpoint
type: playbook
iscommand: false
@@ -706,9 +705,7 @@ tasks:
id: e9267c6f-4c2d-48dd-8017-cecd3cd48a4a
version: -1
name: Threat Hunting - Generic
- description: "This playbook enables threat hunting for IOCs in your enterprise.\n\
- This playbook currently supports the following integrations:\n- Splunk\n-\
- \ Qradar\n- Pan-os\n- Cortex data lake \n- Autofocus"
+ description: "This playbook enables threat hunting for IOCs in your enterprise.\nThis playbook currently supports the following integrations:\n- Splunk\n- Qradar\n- Pan-os\n- Cortex data lake \n- Autofocus"
playbookName: Threat Hunting - Generic
type: playbook
iscommand: false
@@ -777,8 +774,7 @@ tasks:
id: aed1591c-cd9f-42ba-84c8-51184497392e
version: -1
name: Collect system info
- description: Initiates a new endpoint script execution action using a script
- from the script library.
+ description: Initiates a new endpoint script execution action using a script from the script library.
type: regular
iscommand: false
brand: ""
@@ -981,8 +977,7 @@ tasks:
id: e48287f6-34db-41f2-8a31-925555eca04a
version: -1
name: Is Active Directory Query v2 enabled?
- description: Checks if there’s an active instance of the Active Directory Query
- v2 integration enabled.
+ description: Checks if there’s an active instance of the Active Directory Query v2 integration enabled.
type: condition
iscommand: false
brand: ""
@@ -1128,8 +1123,7 @@ tasks:
id: e0a94c31-eeef-4c3b-83f8-3424a3d81462
version: -1
name: Cortex XDR - get incident extra data
- description: Returns additional data for the specified incident, for example,
- related alerts, file artifacts, network artifacts, and so on.
+ description: Returns additional data for the specified incident, for example, related alerts, file artifacts, network artifacts, and so on.
script: '|||xdr-get-incident-extra-data'
type: regular
iscommand: true
@@ -1174,11 +1168,7 @@ tasks:
- "78"
scriptarguments:
query:
- simple: xdralerts.description:*printnightmare_exploit_patched_machine* OR
- xdralerts.description:*printnightmare_local_exploit_patched_machine* OR
- xdralerts.description:*printnightmare_exploit_unpatched_machine* OR xdralerts.description:*printnightmare_local_exploit_unpatched_machine*
- OR xdralerts.description:*printnightmare_exploit.2* OR xdralerts.description:“*printnightmare_local_exploit.3*
- OR xdralerts.description:“*printnightmare_exploit.4* OR xdralerts.description:“*printnightmare_local_exploit.2*
+ simple: xdralerts.description:*printnightmare_exploit_patched_machine* OR xdralerts.description:*printnightmare_local_exploit_patched_machine* OR xdralerts.description:*printnightmare_exploit_unpatched_machine* OR xdralerts.description:*printnightmare_local_exploit_unpatched_machine* OR xdralerts.description:*printnightmare_exploit.2* OR xdralerts.description:“*printnightmare_local_exploit.3* OR xdralerts.description:“*printnightmare_exploit.4* OR xdralerts.description:“*printnightmare_local_exploit.2*
separatecontext: false
view: |-
{
@@ -1292,8 +1282,7 @@ tasks:
id: f9cf1d24-c495-4d57-8cd5-a02ddbb851a4
version: -1
name: Retrieve suspicious files involved in the attack
- description: Get files that were involved in the attack for further analysis
- and forensics.
+ description: Get files that were involved in the attack for further analysis and forensics.
type: regular
iscommand: false
brand: ""
@@ -1371,7 +1360,7 @@ tasks:
root: PaloAltoNetworksXDR.Incident.alerts
accessor: action_remote_ip
transformers:
- - operator: uniq
+ - operator: uniq
UserVerification:
complex:
root: inputs.UserVerification
@@ -1461,3 +1450,5 @@ outputs: []
tests:
- No tests (auto formatted)
fromversion: 6.5.0
+marketplaces:
+- xsoar
diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Lite_-_Incident_Handling.yml b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Lite_-_Incident_Handling.yml
index d1e10973b043..f067832e264e 100644
--- a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Lite_-_Incident_Handling.yml
+++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Lite_-_Incident_Handling.yml
@@ -2184,4 +2184,6 @@ inputs:
outputs: []
tests:
- No tests (auto formatted)
-fromversion: 6.9.0
\ No newline at end of file
+fromversion: 6.9.0
+marketplaces:
+- xsoar
diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Malware_-_Incident_Enrichment.yml b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Malware_-_Incident_Enrichment.yml
index 2d63207a4e61..c04a7fe65de0 100644
--- a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Malware_-_Incident_Enrichment.yml
+++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Malware_-_Incident_Enrichment.yml
@@ -1425,3 +1425,5 @@ description: |-
This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response.
This playbook enriches the Cortex XDR incident. The enrichment is done on the involved endpoint and Mitre technique ID information, and sets the 'Malware-Investigation and Response' layout.
system: true
+marketplaces:
+- xsoar
diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Malware_-_Investigation_And_Response.yml b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Malware_-_Investigation_And_Response.yml
index 92edf8221520..394982304309 100644
--- a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Malware_-_Investigation_And_Response.yml
+++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Malware_-_Investigation_And_Response.yml
@@ -1,7 +1,7 @@
id: Cortex XDR Malware - Investigation And Response
version: -1
name: Cortex XDR Malware - Investigation And Response
-description: "This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response.\nThis playbook investigates Cortex XDR malware incidents. It uses:\n - Cortex XDR insights \n - Command Line Analysis \n - Dedup \n - Sandbox hash search and detonation \n - Cortex XDR enrichment \n - Incident Handling (True/False Positive)"
+description: "This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response.\nThis playbook investigates Cortex XDR malware incidents. It uses:\n - Cortex XDR insights \n - Command Line Analysis \n - Dedup \n - Sandbox hash search and detonation \n - Cortex XDR enrichment \n - Incident Handling (True/False Positive)."
starttaskid: '0'
tasks:
'0':
@@ -2111,3 +2111,5 @@ tests:
fromversion: 6.5.0
contentitemexportablefields:
contentitemfields: {}
+marketplaces:
+- xsoar
diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_device_control_violations.yml b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_device_control_violations.yml
index 9aec26e1b44b..705c1094d9a2 100644
--- a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_device_control_violations.yml
+++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_device_control_violations.yml
@@ -1,13 +1,7 @@
id: Cortex XDR device control violations
version: -1
name: Cortex XDR device control violations
-description: "Queries Cortex XDR for device control violations for the specified hosts,\
- \ IP address, or XDR endpoint ID. It then communicates via email with the involved\
- \ users to understand the nature of the incident and if the user connected the device.\
- \ \nAll the collected data will be displayed in the XDR device control incident\
- \ layout.\nThis playbook can also be associated with Cortex XDR device control violation\
- \ job to periodically query and investigate XDR device control violations. In this\
- \ configuration, the playbook will only communicate with the involved users."
+description: "Queries Cortex XDR for device control violations for the specified hosts, IP address, or XDR endpoint ID. It then communicates via email with the involved users to understand the nature of the incident and if the user connected the device. \nAll the collected data will be displayed in the XDR device control incident layout.\nThis playbook can also be associated with Cortex XDR device control violation job to periodically query and investigate XDR device control violations. In this configuration, the playbook will only communicate with the involved users."
starttaskid: "0"
tasks:
"0":
@@ -45,8 +39,7 @@ tasks:
id: 3b9e0236-4004-482e-8c5b-5084d95a532d
version: -1
name: Get endpoint device control violations
- description: Gets a list of device control violations filtered by selected fields.
- You can retrieve up to 100 violations.
+ description: Gets a list of device control violations filtered by selected fields. You can retrieve up to 100 violations.
script: '|||xdr-get-endpoint-device-control-violations'
type: regular
iscommand: true
@@ -243,9 +236,7 @@ tasks:
id: 256b3ed5-14c2-4e5f-8ae2-bc937b86b8ce
version: -1
name: Get user email address
- description: Retrieves detailed information about a user account. The user can
- be specified by name, email address, or as an Active Directory Distinguished
- Name (DN). If no filter is specified, all users are returned.
+ description: Retrieves detailed information about a user account. The user can be specified by name, email address, or as an Active Directory Distinguished Name (DN). If no filter is specified, all users are returned.
script: '|||ad-get-user'
type: regular
iscommand: true
@@ -563,4 +554,6 @@ inputs:
outputs: []
tests:
- No tests (auto formatted)
-fromversion: 5.5.0
\ No newline at end of file
+fromversion: 5.5.0
+marketplaces:
+- xsoar
diff --git a/Packs/CortexXDR/ReleaseNotes/5_2_5.md b/Packs/CortexXDR/ReleaseNotes/5_2_5.md
new file mode 100644
index 000000000000..3504acd66adf
--- /dev/null
+++ b/Packs/CortexXDR/ReleaseNotes/5_2_5.md
@@ -0,0 +1,60 @@
+
+#### Integrations
+
+##### Palo Alto Networks Cortex XDR - Investigation and Response
+
+Added the *public_ip_list* argument for the ***xdr-get-endpoints*** command.
+
+#### Scripts
+
+##### DBotGroupXDRIncidents
+
+Updated the marketplaces to xsoar only.
+
+#### Playbooks
+
+##### Cortex XDR - First SSO Access
+
+Updated the marketplaces to xsoar only.
+
+##### Cortex XDR - Port Scan - Adjusted
+
+Updated the marketplaces to xsoar only.
+
+##### Cortex XDR - Possible External RDP Brute-Force
+
+Updated the marketplaces to xsoar only.
+
+##### Cortex XDR - PrintNightmare Detection and Response
+
+Updated the marketplaces to xsoar only.
+
+##### Cortex XDR Alerts Handling
+
+Updated the marketplaces to xsoar only.
+
+##### Cortex XDR Malware - Incident Enrichment
+
+Updated the marketplaces to xsoar only.
+
+##### Cortex XDR Malware - Investigation And Response
+
+Updated the marketplaces to xsoar only.
+
+##### Cortex XDR device control violations
+
+Updated the marketplaces to xsoar only.
+
+##### Cortex XDR incident handling v3
+
+Updated the marketplaces to xsoar only.
+
+#### Incident Types
+
+###### Cortex XDR - XCLOUD Cryptomining
+
+Updated the marketplaces to xsoar only.
+
+###### Cortex XDR Lite - Incident Handlin
+
+Updated the marketplaces to xsoar only.
diff --git a/Packs/CortexXDR/Scripts/DBotGroupXDRIncidents/DBotGroupXDRIncidents.yml b/Packs/CortexXDR/Scripts/DBotGroupXDRIncidents/DBotGroupXDRIncidents.yml
index b605bf9f76a3..a3bc6f3974ca 100644
--- a/Packs/CortexXDR/Scripts/DBotGroupXDRIncidents/DBotGroupXDRIncidents.yml
+++ b/Packs/CortexXDR/Scripts/DBotGroupXDRIncidents/DBotGroupXDRIncidents.yml
@@ -11,12 +11,12 @@ args:
description: 'The start date by which to filter incidents. Date format will be the same as in the incidents query page, for example: "3 days ago", ""2019-01-01T00:00:00 +0200").'
name: fromDate
- defaultValue: '500'
- description: The maximum number of incidents to fetch
+ description: The maximum number of incidents to fetch.
name: limit
- defaultValue: Cortex XDR Incident
- description: The Cortex XDR incident type
+ description: The Cortex XDR incident type.
name: incidentType
-- description: Input search query from the dashboard
+- description: Input search query from the dashboard.
name: searchQuery
- defaultValue: '24'
description: Period of time (in hours) before retraining the model. Default is "24".
@@ -47,4 +47,6 @@ type: python
tests:
- No tests (auto formatted)
fromversion: 6.2.0
-dockerimage: demisto/python3:3.10.12.63474
+dockerimage: demisto/python3:3.10.13.78960
+marketplaces:
+- xsoar
diff --git a/Packs/CortexXDR/pack_metadata.json b/Packs/CortexXDR/pack_metadata.json
index cbaf4952825c..1fb411032390 100644
--- a/Packs/CortexXDR/pack_metadata.json
+++ b/Packs/CortexXDR/pack_metadata.json
@@ -2,7 +2,7 @@
"name": "Cortex XDR by Palo Alto Networks",
"description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.",
"support": "xsoar",
- "currentVersion": "5.2.4",
+ "currentVersion": "5.2.5",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
@@ -77,7 +77,8 @@
}
},
"marketplaces": [
- "xsoar"
+ "xsoar",
+ "xpanse"
],
"displayedImages": [
"ServiceNow",