Gaining Altitude: A Look at What’s New in the Cortex XSOAR Marketplace Quarterly Update

Apr 30, 2021
10 minutes
... views

Time has flown since we launched the Cortex XSOAR Marketplace last August, with hundreds of new content packs added over the past seven months. Today, we have a total of 658 content packs, with over 63K downloads!

As an innovator in the security market, it is our goal to provide assurance for the SOC that they can expect and rely on content updates they need to keep the organization safe and maintain their business operations without skipping a beat.

This year has also brought its share of high profile breaches, and our development teams delivered the SolarStorm Breach Rapid Response and Ransomware content packs at the right time to help SOC teams speed discovery and remediation of compromised hosts. Our technology partners have also been busy creating unique new offerings and content packs for the Marketplace.

The organic innovation that is happening in the ecosystem brings us to a new era where partners are innovating and actively contributing to the Marketplace. Last month, we celebrated a major milestone with our 100th partner contributed pack from Sailpoint!

The vision of Marketplace is becoming a reality driven by active exchange and delivering value on both sides to our partners and our customers.

I am really excited that we are starting to see beyond the traditional SOC use cases. For example, we now have hybrid use cases where IT products like Rubrik, which offers a framework for data storage, are being used to address ransomware use cases. These new use cases mean that users will be able to leverage automation for way more than incident response and the platform can now deliver so much more value for our customers.

As our Marketplace community matures, I would love to see use case contributions from our customers who are the experts in their industries so that their peers may benefit from their automation journey experience. I look forward to this next phase of innovation and exchange within our community.

New Marketplace Content Packs from January 2021 through March 2021

We added 92 new packs last quarter covering a wide range of security automation use cases including threat intel feeds, end-user security awareness training, attack surface scanning, SIEM alert management, authentication, case management, rapid breach response packs, and more.

Check out the full list below.

Analytics & SIEM

Cisco Stealthwatch - Analyzes network sessions and provides analytics for scalable visibility. (21.3.2 Release)

LogPoint SIEM Integration - Fetch, analyze, and respond to incident logs in real-time. (21.2.0 Release)

Rapid7 InsightIDR - A Cloud-based SIEM that detects and responds to security incidents. (21.1.0 Release)


Centrify Vault - Create and manage secrets in Centrify Vault. (20.12.1 Release)

LSASS Credential Dumping - Detects researched credential dumping attacks. (21.2.0 Release)

Mantis - Create and update issues in Mantis Bug Tracker. (21.2.0 Release)

Case Management

Manage Engine Service Desk Plus (On-Prem) - IT service management software that provides visibility and central control to deal with IT issues. (21.3.0 Release)

Opsgenie v2 - Create and read alerts, schedules and on-call information from the Opsgenie platform. (21.3.1 Release)


Microsoft Policy and Compliance - Search the unified Microsoft audit log to view user and administrator activity in your organization. (21.3.2 Release)

With the number of large data breaches and critical exploits you see in the news today, it is no surprise we have prioritized delivering so many content packs around the category of data enrichment and threat intelligence to give teams the real-time context they need to spot and stop emerging threats. Having just one bad indicator identified can make all the difference in how quickly your team recognizes an incident and if they can detect it before something more serious occurs.

Data Enrichment & Threat Intelligence

Bitcoin Abuse - Access a public database of bitcoin addresses used by scammers, hackers, and criminals. (21.1.0 Release)

CTIX - Enrich IP, domain, URL, and file data. (21.3.1 Release)

Cyberint - Help your enterprise effectively consume actionable cyber alerts. (21.2.0 Release)

Cyren Threat InDepth Threat Intelligence - Provides visibility into new email-borne security threats. (21.1.1 Release)

Cryptocurrency - Verify and add a reputation for valid cryptocurrency addresses. (20.12.1 Release)

Expanse v2 - Automate Attack Surface Management to identify assets and remediate misconfigurations. (21.1.0 Release)

Expanse X509 Certificate - Manage X509 Certificates. (20.12.1 Release)

Feed DHS - Provides indicators from CISA’s free Automated Indicator Sharing (AIS). (21.2.1 Release)

FraudWatch PhishPortal - Anti-phishing and other brand solutions to protect your brand and clients against online brand-related abuse. (21.3.2 Release)

GreyNoise - Receive, identify, and track alerts, false positives, compromised devices, and more. (21.2.1 Release)

Gurucul Risk Analytics - A cloud native platform that predicts, detects and prevents breaches. (21.1.1 Release)

Intel471 - Fetches actors and malware-related indicators. (21.2.0 Release)

Ja3er - Query the ja3er API for MD5 hashes of JA3 fingerprints. (21.2.1 Release)

JARM - Generates fingerprints from the active Transport Layer Security server tool within the pyJARM library. (21.3.0 Release)

Mnemonic MDR - Rapidly detect, analyze and respond to security threats with this feed. (21.1.0 Release)

NCSC Cyber Assessment Framework - Automatically runs an assessment based on NCSC guidelines. (21.2.0 Release)

Office365 and Azure Audit Log Pack - Pulls logs from the O365 service. (21.2.1 Release)

Public DNS Feed - Identify known IPs associated with public DNS servers. (20.12.1 Release)

RST Threat Feed - Aggregated, filtered, and scored threat intelligence database. (21.2.0 Release)

Rubrik Polaris - Creates a new incident when a Polaris Radar anomaly event is detected and determines whether any Sonar data classification hits were found on that object. (21.3.0 Release)

SalesForce Indicators - Pulls any Salesforce object as an indicator. (21.3.0 Release)

Shadow IT - Provides additional capabilities for handling Shadow IT incidents. (21.1.0 Release)

Twinwave - Navigates the complex attack chains used to evade analysis of phishing and malware threats. (21.1.0 Release)

USTA - Utilize threat-intel solutions for critical infrastructures. (21.3.2 Release)

XM Cyber Incident Classifier - Identify attack vectors to critical assets at risk and enrich incidents with XM Cyber attack information. (20.12.0 Release)

We also continue to prioritize making integrated endpoint and malware analysis content packs to help take the burden off of resource limited security teams. Having the expertise with the full skill set to stay on top of the new techniques in malware, ransomware, and phishing attacks can be a challenge. That is why the advancements around deception technology, email gateways, endpoint security, and forensics and malware analysis are so critical to successfully scaling to meet the requirements of today’s threat landscape.


Acalvio ShadowPlex - Offers advanced threat detection, investigation, and response capabilities. (21.2.0 Release)

Email Gateway

Agari Phishing Defense - Stops phishing, BEC, and other identity deception attacks. (21.2.0 Release)

Campaign - Search for specific email incidents, and define criteria for collection and campaign creation. (21.3.1 Release)

GreatHorn - Stops targeted social engineering and phishing attacks on cloud email platforms. (21.2.1 Release)

Endpoint Security

MobileIron-UEM - Fetches device data and incidents from both MobileIron Core and Cloud. (21.1.0 Release)

Sophos Central - Manage Sophos products. (20.12.1 Release)

Windows Remote Management - Execute a windows process with Python pywinrm commands. (20.12.1 Release)

Forensics & Malware Analysis

FireEye Detection on Demand - Flexible file and content analysis to identify malicious behavior.(21.2.1 Release)

Forti Sandbox - Submit files for malware analysis and retrieve a rated report. (21.2.1 Release)

Malware Lateral Movement Assessment - Remediates malware's lateral movement impact in an organization from a phishing campaign. (21.3.0 Release)

File Integrity Management

Tripwire - Identify IPs from Tripwire incidents. (20.12.1 Release)

Identity and Access Management

Atlassian IAM - Create, read, update, and delete IAM operations for employee lifecycle processes. (21.3.0 Release)

IAM SCIM - Classifiers for Identity Access Management integrations that use SCIM. (20.12.0 Release)

Microsoft Graph Identity & Access - Manage administrators, invite external users to your organization, and discover information about users’ group and role memberships. (21.3.0 Release)

SailPoint IdentityNow - Leverage data from the SailPoint IdentityNow Platform. (21.3.2 Release)

SailPoint IdentityIQ - Gain data from the Sailpoint Predictive Identity Platform to enrich security practices. (21.2.1 Release)

As we mentioned earlier, we are adding more content packs addressing non-traditional SOC use cases, extending to IT Services, Network Security Utilities, Messaging and Vulnerability Management. For example the new Ansible packs enable non-coders to automate the management of IT infrastructure operations.

IT Services

Ansible Powered Integrations - A community pack that runs ansible modules as native XSOAR commands. (21.3.0 Release)

Ansible Tower - Manage and execute automated actions and tasks on hosts with Ansible. (21.1.1 Release)

AWS Network Firewall - Manage and update your AWS Network Firewall to effectively filter traffic at the perimeter of your Virtual Private Cloud (VPC). (20.12.1 Release)

Azure Kubernetes Services - Deploy and manage containerized applications with the Kubernetes service. (21.2.1 Release)

Azure SQL Management (Beta) - Integrate the feed of Azure’s managed Cloud database. (21.2.1 Release)

Google Drive - Manage, query, and create Google Drives. (20.12.0 Release)

Microsoft Graph Applications - Manage connected applications and services by retrieving detailed lists of service principals. (21.3.0 Release)

Nutanix Hypervisor - Abstracts and isolates the VMs and their programs from their server hardware. (21.2.1 Release)

QualysFIM - Detects and identifies critical changes, incidents, and risks resulting from events across the organization. (21.3.2 Release)

Tidy Pack - Handle endpoints environment installation. (21.2.1 Release)

UnifiVideo NVR - Fetches motion events as incidents, allowing you to take video recordings and snapshots. (21.3.2 Release)


RSS (Really Simple Syndication) - Ingest new items as incidents with RSS. (20.12.0 Release)

Network Security

Azure Security Networks - Filter network traffic to and from Azure resources in an Azure virtual network. (21.1.0 Release)

Azure WAF - Detect and respond to web related attacks targeting Azure servers. (21.1.0 Release)

Cisco Umbrella Enforcement - Add and remove domains in Cisco OpenDNS. (20.12.1 Release)

Darktrace - Enrich incidents with Darktrace anomaly detection (model breach) information. (20.12.1 Release)

Gamma - Streamline discovery, classification, and remediation of data loss instances across Enterprise SaaS applications. (21.3.2 Release)

Palo Alto Networks IoT 3rd Party Integrations - Communicates with IoT Cloud to get alerts, vulnerabilities, and devices. (21.2.1 Release)

PICUS - Breach and attack simulation tools. (21.3.1 Release)

Rapid Breach Response - Find and quarantine SolarStorm and SUNBURST infections. (20.12.1 Release)

Sophos XG Firewall - Manage firewalls, respond to threats, and monitor your network. (21.2.1 Release)

SSL Certificate Verifier - Verify the validity of your SSL certificate and get the time until expiration. (21.2.0 Release)


Arduino - Connects to and controls an Arduino pin system using the network. (21.2.0 Release)

Cloud Convert - Convert a file to the required format using CloudConvert. (20.12.1 Release)

CloudShare - Gain additional insight into your environment through the web UI. (21.1.0 Release)

Cognni - Detect and investigate security incidents and potential threats and security incidents from Cognni. (21.1.1 Release)

Computer Vision Engine - Processing images or movies and detects related objects with Machine Learning. (21.2.0 Release)

GraphQL - The Generic GraphQL client can interact with any GraphQL server API. (21.3.0 Release)

MapRegex - Takes values and transforms them based on multiple regular expressions as defined in JSON dictionaries. (21.1.0 Release)

Microsoft Graph API - Interact with Microsoft products including Mail Single-User. (20.12.0 Release)

Modules Management - Manage integration instances. (20.12.1 Release)

Netmiko - Executes commands supported by the Netmiko Python library against hosts. (21.2.0 Release)

Orca - Agentless, workload-deep, contextual security and compliance for AWS, Azure, and GCP. (21.2.0 Release)

PANW Automatic SLR - Automatically generate Security Lifetime Reviews (SLR’s). (21.2.0 Release)

ParseYAML - Parses a YAML string into context. (21.3.2 Release)

Popular Cybersecurity News - Fetch recent news from popular cybersecurity sites.

QR Code Reader - Reads a QR code from an image file. (21.3.1 Release)

UpdateEntriesBySearch - Search through WarRoom and set tags and marks as notes or evidence. (21.3.1 Release)

XSOAR - Simple Dev to Prod - Simplify exporting custom content items such as Playbooks, Automations, BYOI integrations, etc between your XSOAR Development and Production environments. (21.3.0 Release)

xMatters - Notify users and route responses with xMatters. (20.12.0 Release)

Vulnerability Management

Cymptom - Transforms attack simulation into a data analysis question. (21.2.1 Release)

NIST NVD - Connect with the National Vulnerability Database for research on vulnerabilities and vulnerable products. (21.3.1 Release)

For a full breakdown of all the new XSOAR Integrations, check out the different release notes:

20.12.0 Release Notes

20.12.1 Release Notes

21.1.0 Release Notes

21.1.1 Release Notes

21.2.0 Release Notes

21.2.1 Release Notes

21.3.0 Release Notes

21.3.1 Release Notes

21.3.2 Release Notes

Sign up for the monthly What’s SOARing Newsletter to stay up to date on key SOC resources, the latest content releases, and upcoming events

Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.