Skip to main content

Changes and Enhancements​

  • Integrations: Basic Tools added CC in Send Mail Action.

Bug fixes​

  • Integrations:
    • Fixed resource testing.
    • Fixed internal integration update process.
    • Fixed output fields containing a value of numerical "0" logged blanks instead of the actual number.
  • Playbooks:
    • Fixed playbook condition logic with AND, OR operators.
    • Fixed textarea and regex parsing when HTML tags are enabled.
    • Fixed issue related to multiple playbook revisions and user choice execution.

Cloud SOAR​

  • Incident: Fixed issue with war room large content loading.
  • API documentation updated.

This release introduces two new integrations and several updates to integrations and related playbooks.

Integrations​

Playbooks​

  • [Updated] 501 - Send Insight AWS SNS Notification
  • [Updated] 502 - Send Insight Email Notification
  • [Updated] 503 - Enrich Entity with CrowdStrike Falcon Intelligence
  • [Updated] 504 - Enrich Entity with DomainTools
  • [Updated] 505 - Enrich IP with Geolocation from MaxMind
  • [Updated] 506 - Recommend Insight Response
  • [Updated] 507 - Create PagerDuty Incident for Insight
  • [Updated] 508 - Enrich Entity with PowerShell GreyNoise
  • [Updated] 509 - Enrich Entity with PowerShell SentinelOne
  • [Updated] 510 - Enrich Entity with PowerShell User Query
  • [Updated] 511 - Enrich Entity with PowerShell CrowdStrike
  • [Updated] 512 - Enrich Entity with PowerShell CarbonBlack
  • [Updated] 513 - Enrich Entity with PowerShell Whois
  • [Updated] 514 - Enrich Entity with PowerShell nslookup
  • [Updated] 515 - Enrich Entity with Recorded Future
  • [Updated] 516 - Enrich Hash with SentinelOne
  • [Updated] 517 - Create ServiceNow Ticket for Insight
  • [Updated] 518 - Update ServiceNow Ticket for Insight
  • [Updated] 519 - Send Insight Slack Notification
  • [Updated] 520 - Enrich Entity with Log Search
  • [Updated] 521 - Update Match List
  • [Updated] 522 - Create Jira Issue for Insight
  • [Updated] 523 - Update Jira Issue for Insight
  • [Updated] 524 - Enrich IP Address with GreyNoise
  • [Updated] 525 - Enrich Entity with Jamf
  • [Updated] 526 - Send Insight Teams Notification
  • [Updated] 527 - Enrich Entity with VirusTotal
  • [Updated] 528 - Create ZenDesk Ticket for Insight
  • [Updated] 529 - Update ZenDesk Ticket for Insight
  • [Updated] 530 - Get Mitre Mitigations for Insight
  • [Updated] 531 - Example Insight full Enrichment
  • [Updated] 532 - Example Entity full Enrichment
  • [Updated] 533 - Example Involved Entities full Enrichment
  • [Updated] 534 - Enrich Entity with AlienVault OTX
  • [Updated] 535 - Application Latency Playbook
  • [Updated] 536 - Unresolved Alert Notification
  • [Updated] 537 - Amazon GuardDuty BruteForce finding
  • [Updated] 538 - Admin Privileges Granted
  • [Updated] 539 - Amazon GuardDuty InstanceCredentialExfiltration finding
  • [Updated] 540 - EC2 instance accessed from malicious IP

Changes and Enhancements​

  • Text area editor: HTML mode is disabled by default.
  • Automation: In playbook list view now results are loaded after the user opens each action card.

Bug fixes​

  • App Central: Now when an integration is updated, user custom YAML output is automatically handled by the system and merged during the update process.
  • Automation: Users can now contact Sumo support asking from which public IPs automations will be generated.
  • Playbooks:
    • Fixed playbook saving action that caused playbooks to be empty.
    • Fixed issue related to multiple manual action execution in the same playbook.
    • Fixed import issue.

Cloud SOAR​

  • Entities: Fixed issue when creating new entity of type FILE.
  • Rules: Now it is not possible to create two rules with the same name.
  • Incidents: Fixed issue related to incident privileges.

Bug fixes​

  • Playbooks:
    • Fixed execution with cartesian product disabled.
    • Fixed condition node not working as expected when evaluating value 0 == any string.
  • Fixed date-time format settings.

Cloud SOAR​

  • Triage: Fixed playbook graph view errors.
  • Incidents:
    • Fixed incidents navigation button disabled when inside an incident.
    • Fixed modal to add user as investigator that returned an error.
    • Fixed fields with '0' value displayed as empty in GUI.
    • Fixed issue related to 'Prohibit duplicate naming' that was not enforced properly in case of incidents created from automation rule.
    • Fixed duplicate incidents issue when created from webhooks (LAP scheduled search).
    • Fixed incidents list with empty rows.

Changes and Enhancements​

Cloud SOAR​

  • Playbooks: Test feature now permits you to use internal Incident ID.

Bug fixes​

  • Playbooks:
    • Fixed test playbook broken functionality.
    • Fixed scheduled actions issue.
  • Integrations: Fixed Docker Image build issue that resulted in an internal error.

Cloud SOAR​

  • Incidents: Fixed column reordering causing the table to disappear.
  • Triage: Fixed possibility to execute the same playbook more than two times.

Our Cloud SOAR application update features an important upgrade to Python 3.12 for our Lambda functions. This enhancement is part of our ongoing commitment to security, performance, and the latest technological standards.

The Python upgrade impacts a total of 38 integrations. These integrations will require updates to ensure compatibility with the new Python version.

Please be aware that with this update, the output from certain actions may no longer be displayed as expected if they were customized in your current setup. This is an important consideration for your workflows, and we recommend reviewing any customizations you have in place.

To facilitate a smooth transition, we have prepared a straightforward guide to assist you in updating your integrations. This guide outlines the steps you need to take to ensure your integrations work seamlessly with Python 3.12. Click here for the "Updating App Central Integrations" guide.

Below is the full list of integrations that will be affected by the Python upgrade. Please review this list to determine which integrations in your environment will require attention.

Integrations​

  • [Updated] AWS Security Hub
  • [Updated] AlienVault USM Anywhere
  • [Updated] Arbor
  • [Updated] Arcsight ESM
  • [Updated] Chronicle
  • [Updated] Coralogix - Send Logs
  • [Updated] Cortex XDR
  • [Updated] CrowdStrike Falcon
  • [Updated] CrowdStrike Falcon Intelligence
  • [Updated] CylanceProtect
  • [Updated] DarkOwl
  • [Updated] Darktrace
  • [Updated] Devo
  • [Updated] Elastic Security
  • [Updated] FortiAnalyzer
  • [Updated] IMAP
  • [Updated] Incident Tools
  • [Updated] KnowBe4 PhishER
  • [Updated] LogRhythm
  • [Updated] MISP
  • [Updated] Microsoft 365 Defender
  • [Updated] Microsoft EWS
  • [Updated] Microsoft EWS Daemon
  • [Updated] Microsoft Teams
  • [Updated] Mimecast
  • [Updated] Netskope
  • [Updated] ProtectOnce
  • [Updated] RSA NetWitness
  • [Updated] Recorded Future
  • [Updated] SentinelOne
  • [Updated] Sophos Central V3
  • [Updated] Sumo Logic
  • [Updated] Sumo Logic CSE
  • [Updated] Sumo Logic Notifications
  • [Updated] VMware Carbon Black Cloud Endpoint Standard V2
  • [Updated] VMware Carbon Black Cloud Platform
  • [Updated] VirusTotal
  • [Updated] WithSecure Elements

We strongly encourage all users to review the provided documentation and prepare for the upcoming changes. Our support team is available to assist with any questions or concerns regarding this release.

This release contains several updates, including the introduction of new actions and the resolution of some issues.

Integrations​

  • [Updated] Lacework
    • New actions
      • Get Alert Details
      • Search Alerts
    • Fixed endpoint in Close Alert action
  • [Updated] Darktrace
    • Resolved bug related to integration resource
  • [Updated] IP Quality Score
    • New actions
      • Email Reputation
      • URL Reputation
    • Renamed action from "Get Credit Usage API" to "Get Credit Usage"
    • Refined labels and hints
    • Extended output mapping with examples
  • [Updated] OneTrust
    • New action: Create Organization
  • [Updated] Sumo Logic CSE
    • Fixed issue in the "Add Comment To Insight" action where line breaks in the "Insight Comment" field were removed upon submission
  • [Updated] AWS IAM
    • New action: Get Access Key Last Used
    • Fixed bug in some actions
  • [Updated] Incident Tools
    • Fixed Typo
  • [Updated] Atlassian Jira
    • Enhanced "Create Issue" and "Update Issue" actions to support Jira custom fields
  • [Updated] Screenshot Machine
    • Screenshot Webpage Action: Updated with new Cloud SOAR API
  • [Updated] Chronicle
    • New actions:
      • Get Event
      • Get Events
      • Get Log
      • List Alerts
      • UDM Search
    • Fixed a bug related to the PageSize field in the List Alerts action
    • Updated Alerts Daemon Chronicle
      • Fixed a bug related to Last execution time
      • Updated Output mappings
  • [Updated] Zscaler
    • Fixed an issue that prevented some actions from being executed
  • [Updated] Mail Tools
    • Updated Analyze MSG EML action with new Cloud SOAR API
  • [Updated] Recorded Future
    • Refactored Recorded Future Alerts Daemon
    • Refactored Vulnerability Search Daemon
    • Enabled Incident Artifacts feature flag for Get Alert Details action
  • [Updated] GreyNoise
    • New action: Context IP Lookup Community
    • Other minor fixes

Changes and Enhancements​

  • Playbooks:
    • Enabled playbook testing. With this improvement it is now possible to test a playbook configuration before publishing it, using Insight, Incident or custom JSON as input.
    • Action configuration: Integration fields configuration now suggests default values, if present.
    • UserChoice, answer by Email: Fixed Authorizer usage from previous nodes.
  • AppCentral: Within the Integrations section, each integration card now contains a hyperlink to the related public documentation page Integrations in App Central.
  • Integrations: It is now possible to send custom commands when an integration docker image is created. This feature is available for Not Certified integration only.

Cloud SOAR​

  • Enabled a new reporting feature for case management and dashboards.

Bug fixes​

  • Integrations:
    • Fixed Resource test issue.
  • AppCentral: Fixed playbook preview when maximized view is used.

Cloud SOAR​

  • Rules: Fixed scheduled execution.
  • Tasks: Fixed creation if a required field is dismissed.
  • Incidents: Fixed full screen view buttons for widgets.
  • Notes: Fixed CSV export.

New Documentation for the Cloud SOAR SaaS version​​

We are excited to announce the following new documentation for features in our Cloud SOAR SaaS version:

  • Features:
  • Open Integration Framework:
    • Integration Builder allows you to build integrations without needing to provide code
    • Integrations, and related action execution, can be done in the cloud or through the Bridge. Only certified integrations can be executed in the cloud.
    • Certified integrations allow you to customize JSON and table output schema
    • Actions configuration during playbook design is rearranged for easier use
  • Architecture:
    • Fully-functional in the Cloud (the Bridge is only required for custom integrations)
    • User and profile management is in Sumo Logic core platform instead of Cloud SOAR
    • Automatic scalability based on server load
    • Cloud SOAR APIs are standardized to use the same infrastructure as APIs in the Sumo Logic core platform

Changes and Enhancements​

  • Added public help document for supported integrations. See Integrations in App Central.
  • Integrations: Added possibility to rename an integration keeping original reference in YAML.
  • Playbooks:
    • List view set as default. View changes are saved in user preferences.
    • Deprecated Nested attribute.
    • Added possibility to dynamically reference a resource in actions.
  • Automation now tracks failed actions executions.

Cloud SOAR​

  • Playbooks: Fixed insight execution for nested playbooks with more than 2 nesting levels.
  • Rules: Added ability to change the Daemon Name or Integration Resource within an existing automation rule.

Bug fixes​

  • Email encoding a character to UTF8 for literal string fixed.
  • Playbooks:
    • Unable to use variable fields with quotes in text area fixed.
    • Fixed playbook inputs not visible in TextArea placeholder.
    • Resolved scheduled action execution issue with playbook status.

Cloud SOAR​

  • Incidents:
    • Fixed war room export for updated tasks.
    • Fixed possibility to copy table contents in Notes description field.
    • Incident creation: Fixed infinite spinner in Automation tab.

This release introduces new integrations, as well as new Playbooks related to Cloud Infrastructure Security for AWS.

Integrations​

  • [New] Axonius
  • [New] OneTrust
  • [New] AWS Network Firewall
  • [Updated] Azure AD
    • Added New Action: Get Member Groups
  • [Updated] AWS IAM
    • Added New Action: Update Access Key
  • [Updated] Slack
    • Updated action: Ask Question
  • [Updated] AWS EC2
    • Updated action: Stop Instance
  • [Updated] Atlassian Jira*
    • Several changes have been made. This update introduces BREAKING CHANGES: both the Output Mapping and Input fields have been revised and updated. This version is specific to Jira Server and Data Center.

* These integrations have been migrated and are now available in this release.

Playbooks​

  • [New] 540 - EC2 instance accessed from malicious IP
  • [New] 539 - Amazon GuardDuty InstanceCredentialExfiltration finding
  • [New] 538 - Admin Privileges Granted
  • [New] 537 - Amazon GuardDuty BruteForce finding

This release introduces two new integrations, ipdata and Google Alert Center, as well as several updates.

Integrations​

  • [New] ipdata
  • [New] Google Alert Center
  • [Updated] PowerShell Tools
    • Updated the integration to address hostname resolution in Docker
  • [Updated] Panda EDR
    • Fixed Token Issue
  • [Updated] IPinfo
    • Enabled Incident Artifacts for IP Address field
  • [Updated] CSE Tools
    • Extended output mapping for Get Signal action
  • [Updated] Sumo Logic
    • Updated Search Sumo Logic Action
  • [Updated] Have I Been Pwned
    • Added new action: Get Latest Breach
  • [Updated] Sumo Logic CSE
    • Added new Action: Create Insight From Signals
    • Updated Add Enrichment Insight, Add Enrichment Entity, and Add Enrichment Signal actions
  • [Updated] Incident Tools
    • Added new action: Get Incident
  • [Updated] Lacework
    • Added new action: Close Alert
  • [Updated] Active Directory V2
    • Updated action: User Attributes
  • [Updated] Active Directory
    • Updated action: User Attributes V2

Changes and Enhancements​

  • Playbooks: UserChoice nodes can be handled now from Slack workspace (see documentation).

Cloud SOAR​

  • New privilege "Api Admin": Enabling this privilege in Log Analytics Platform will allow user to handle incident operations without being involved directly as investigator.

Bug fixes​

  • Fixed black screen when opening a Cloud SOAR or Automation Service URL with invalid session.
  • Playbooks:
    • Fixed: Parameters not being passed to nested playbooks.
    • Fixed: Configuration loss after being installed from App Central.
    • Placeholder TextArea with < and > that were converted in "spaces" in HTML.

Cloud SOAR​

  • Groups: Fixed member removal that could result in broken requests.
  • Playbooks:
    • TextArea fixed placeholder view for Artifacts fields.
    • Incident ID placeholder available in node configuration.

Automation Service​

  • Playbooks: Start node parameters fixed by using a β€œ.” or a "space" in parameter names that were converted into _.

This is an archive of 2023 Cloud SOAR Release Notes. The current Cloud SOAR Release Notes are here.

To view the full archive, click here.

Status
Legal
Privacy Statement
Terms of Use

Copyright Β© 2024 by Sumo Logic, Inc.