Demisto Content Release Notes for version 20.2.0 (40231)
Published on 04 February 2020
Breaking Changes
Changed several indicator field names, which might cause backwards compatibility issues for mapping indicator fields.
Integrations
4 New Integrations
- __Devo v2__
Use the Devo v2 integration to query Devo for alerts, lookup tables, and to write to lookup tables.
- __CloudShark__
Use the CloudShark integration to upload, share, and collaborate on network packet capture files using your on-premises CS Enterprise system.
- __Palo Alto Networks - Prisma Cloud Compute__
Use the Prisma Cloud Compute integration to fetch incidents from your Prisma Cloud Compute environment.
- __Sixgill__
Use the Sixgill integration to fetch alerts as incidents. Sixgill provides alerts that are based on organization assets, enabling you to take proactive steps to eliminate and mitigate your threats.
14 Improved Integrations
- __Palo Alto Networks Cortex XDR - Investigation and Response__
- Fixed an issue where trailing whitespaces would effect outputs.
- Implemented the Cortex XDR API v2.
- Added 11 Traps commands.
- ***xdr-isolate-endpoint***
- ***xdr-unisolate-endpoint***
- ***xdr-get-endpoints***
- ***xdr-insert-parsed-alert***
- ***xdr-insert-cef-alerts***
- ***xdr-get-audit-management-logs***
- ***xdr-get-audit-agent-reports***
- ***xdr-get-distribution-versions***
- ***xdr-get-distribution-url***
- ***xdr-get-create-distribution-status***
- ***xdr-create-distribution***
- __Red Canary__
Fixed an issue with fetch-incidents in which detections were not properly fetched.
- __VulnDB__
Added the ***cve*** command, which returns CVE information.
- __Palo Alto Networks AutoFocus V2__
Added the ***autofocus-get-export-list-indicators*** command.
- __IBM QRadar__
Added immediate recovery for HTTP requests in case of connection error, which should help when QRadar SIEM is busy.
- __Microsoft Graph Mail__
Fixed an issue where the listing emails were not comparing the mail ID.
- __SplunkPy__
- The **Test** button now tests the fetch incidents function when the *Fetch incidents* option is selected.
- Fixed an issue in the *Splunk notable events ES query* parameter where the time parameter was not passed to the table in Splunk.
- __Rasterize__
- Added support for specifying advanced Chrome options.
- Improved rendering of large HTML files.
- __Mimecast__
Added the ***mimecast-update-policy*** command.
- __Demisto REST API__
Improved descriptions and fixed a typo.
- __Securonix__
- Added the *Host* parameter, which if supplied overrides the default hostname.
- Added 4 commands.
- ***securonix-create-incident***
- ***securonix-create-watchlist***
- ***securonix-check-entity-in-watchlist***
- ***securonix-add-entity-to-watchlist***
- __Atlassian Jira (v2)__
Fixed an issue in the ***jira-get-issue*** command where retrieving issue attachments failed.
- __dnstwist__
Fixed an issue with creating outputs for the ***dnstwist-domain-variations*** command.
- __Kafka V2__
Improved the description of the ***kafka-fetch-partitions*** command.
---
Scripts
7 New Scripts
- __IsInternalHostName__
Checks if the supplied hostnames match either the organization's internal naming convention or the domain suffix.
- __CreateIndicatorsFromSTIX__
Creates indicators from the submitted STIX file. Supports STIX 1.0 and STIX 2.0.
- __PrismaCloudComputeParseAuditAlert__
Parses raw JSON data for Audit alerts.
- __PrismaCloudComputeParseComplianceAlert__
Parses raw JSON data for Compliance alerts.
- __PrismaCloudComputeParseVulnerabilityAlert__
Parses raw JSON data for Vulnerability alerts.
- __PrismaCloudComputeParseCloudDiscoveryAlert__
Parses raw JSON data for Cloud Discovery alerts.
- __YaraScan__
Performs a Yara scan on the supplied files.
6 Improved Scripts
- __SaneDocReports__
Fixed an issue where, in rare cases, investigation reports crashed.
- __UnzipFile__
Fixed an issue where the script returned the file metadata instead of the file contents.
- __ReadPDFFileV2__
Fixed an issue where the script failed for some PDF files with the error: *Syntax Error: Invalid object stream Internal Error: xref num 2245 not found but needed, try to reconstruct<0a>*.
- __ParseEmailFiles__
Added handling for EML files with no Content-Type header. The script will treat the file as email text with no attachments.
- __CommonServerPython__
Added the ***ip_to_indicator_type*** command.
- __XDRSyncScript__
Updated outputs and added additional alert outputs.
---
Playbooks
10 New Playbooks
- \*__SANS - Incident Handler's Handbook Template__
This playbook contains the phases for handling an incident as they are described in the [SANS Institute Incident Handler's Handbook](https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 ) by Patrick Kral.\*
- \*__SANS - Incident Handlers Checklist__
This playbook follows the "Incident Handler's Checklist" described in the [SANS Institute Incident Handler's Handbook](https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 ) by Patrick Kral.
- \*__SANS - Lessons Learned__
This playbook assists in post-processing an incident and facilitates the lessons learned stage, as presented by [SANS Institute Incident Handler's Handbook](https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 ) by Patrick Kral.
- __Wait Until Datetime__
Pauses execution until the date and time that was specified in the playbook input is reached.
- __Prisma Cloud Compute - Cloud Discovery Alert__
The default playbook for parsing Prisma Cloud Compute Cloud Discovery alerts.
- __Prisma Cloud Compute - Vulnerability Alert__
Default playbook for parsing Prisma Cloud Compute vulnerability alerts.
- __Prisma Cloud Compute - Audit Alert__
Default playbook for parsing Prisma Cloud Compute audit alerts.
- __Splunk Indicator Hunting__
Queries Splunk for indicators such as file hashes, IP addresses, domains, or URLs. It outputs detected users, IP addresses, and hostnames related to the indicators.
- __Sixgill - DarkFeed - Indicators__
Extracts a STIX bundle and then uses the **StixParser** automation to parse and push indicators to Demisto.
- __Prisma Cloud Compute - Compliance Alert__
The default playbook for parsing Prisma Cloud Compute compliance alerts.
\* ***Disclaimer***: The SANS playbooks do not ensure compliance with SANS regulations.
3 Improved Playbooks
- __PANW - Hunting and threat detection by indicator type V2__
Fixed missing task link.
- __IT - Employee Offboarding__
Added functionality that enables offboarding employees on a future date.
- __IT - Employee Offboarding - Manual__
Added functionality that enables offboarding employees on a future date (manually).
---
Incident Fields
- __Offboarding Date__
The date and time when the employee offboarding process should begin.
This incident field is associated to the new **AWS EC2 Instance Misconfiguration** incident type.
---
Incident Layouts
6 New Incident Layouts
- __AWS EC2 Instance Misconfiguration - Summary__
- __Sixgill Threat - Summary__
- __Prisma Cloud Compute Audit - Summary__
- __Prisma Cloud Compute Compliance - Summary__
- __Prisma Cloud Compute Cloud Discovery - Summary__
- __Prisma Cloud Compute Vulnerability - Summary__
2 Improved Incident Layouts
- __Employee Offboarding - Summary__
Added a field for the date and time when the offboarding process began.
- __Employee Offboarding - New/Edit__
Added an option to select a future date and time at which to begin employee offboarding.
---
Classification & Mapping
3 Improved Classification & Mapping
- __RedLock__
Added classification to the **AWS EC2 Instance Misconfiguration** incident type.
- __Cortex XDR - IR__
Added the *host_count* field to the mapping of the Cortex XDR integration, with the incident type **Cortex XDR Incident**. (Available from Demisto v5.0)
- __prismaCloud_app__
Added classification to the **AWS EC2 Instance Misconfiguration** incident type.
---