Demisto-py

Demisto Content Release Notes for version 20.3.1 (42860)
Published on 04 March 2020
---
Integrations

New Integrations
- __CVE Search v2__
Searches for CVE information using circl.lu.
7 Improved Integrations
- __Anomali ThreatStream v2__
Fixed an issue where inactive indicators were taken into account.
- __Atlassian Jira v2__
Fixed an issue in the ***jira-create-issue*** and ***jira-edit-issue*** commands where the due date was not set correctly.
- __CyberArk AIM__
Improved display of integration parameters.
- __CVE Search__
Added batch support to the ***cve-search*** command.
- __Rasterize__
- Fixed the setting **Use system proxy settings**, so proxies are ignored when not enabled.
- Fixed an issue with the ***rasterize*** command in which child processes were defunct when using a proxy server.
- __AbuseIPDB__
- Improved parsing in the ***ip*** command.
- __SplunkPy__
- Fixed an issue where ***fetch-incidents*** did not work as intended.
- Fixed an issue where ***splunk-parse-raw*** command cut the last character of parsed fields.

---
Scripts
New Scripts
- __DBotPredictOutOfTheBox__
Predicts phishing incidents using the out-of-the-box pretrained model.
---
Playbooks

New Playbook
- __Kenna - Search and Handle Asset Vulnerabilities__
This playbook accepts an asset, then searches for vulnerabilities on that asset using the Kenna integration. If a vulnerability exists, it looks for relevant patches, lets the analyst deploy them and then generates an investigation summary report.

Improved Playbook
- __QRadar Indicator Hunting V2__
Fixed missing task links.

---
XSOAR 5.5 Beta release
Feeds

Demisto Content Release Notes for version 20.2.4 (42218)
Published on 24 February 2020
---

Demisto Content Release Notes for version 20.2.3 (41510)
Published on 18 February 2020
Integrations

2 New Integrations
- __Lastline v2__
Use the Lastline v2 integration to provide the threat analysts and incident response teams with the advanced malware isolation and inspection environment needed to safely execute advanced malware samples, and understand their behavior.
- __Akamai WAF__
Use the Akamai WAF integration to manage common sets of lists used by various Akamai security products and features.

10 Improved Integrations
- __SplunkPy__
Added the *app* argument to the following commands.
- ***splunk-job-create***
- ***splunk-search***
- __SumoLogic__
- Added the *waitForSearchComplete* parameter, which causes the search to wait for the query to iterate over all messages before returning results.
- Bugfix: wait for the query to complete when fetching incidents as aggregate records.
- __ZeroFox__
Fixed an issue where the same incident was repeatedly fetched.
- __McAfee Web Gateway__
Fixed an issue where the integration parameters were exposed in the log.
- __Mail Sender (New)__
Fixed an issue where in some cases attachments displayed as being empty.
- __Elasticsearch v2__
You can now fetch incidents without specifying the *Date Format* parameter.
- __ArcSight ESM v2__
Fixed an issue where the output for the ***as-get-entries*** command was not in the correct format for results with a large number of objects.
- __Rasterize__
- Updated Chromium to version 80.
- Added support for specifying a maximum page load time. The default value is 180 seconds.
- Changed the default user agent to match the Chrome user agent.
- __RSA NetWitness v11.1__
- Fixed an issue with ***fetch-incidents*** where setting a *Fetch Limit* would drop older incidents if the number of the fetched incidents was greater than the limit.
- Added the *pageNumber* argument to the ***netwitness-get-incidents*** command. The argument allows the user to get incidents from a specific page and is intended to be used with the *limit* argument.
- __Palo Alto Networks PAN-OS__
- The *name* argument is now mandatory in the ***panorama-get-service*** command.
- Added 7 commands.
- ***panorama-download-latest-content-update***
- ***panorama-content-update-download-status***
- ***panorama-install-latest-content-update***
- ***panorama-content-update-install-status***
- ***panorama-check-latest-panos-software***
- ***panorama-download-panos-version***
- ***panorama-download-panos-status***


---
Scripts

New Script
- __YaraScan__
Performs a Yara scan on the specified files.

2 Improved Scripts
- __ReadPDFFileV2__
- Fixed a bug where emails were labeled as URLs.
- Added Email standard output.
- __DockerHardeningCheck__
Updated the error entry with a detailed explanation of the failure.

---
Playbooks

5 New Playbooks
- __NetOps - Upgrade PAN-OS Firewall Device__
Network operation playbook that upgrades the firewall. The superuser is required in order to update the PAN-OS version.
- __NetOps - Firewall Version and Content Upgrade__
Network operation playbook that updates the version and the content of the firewall. The superuser is required in order to update the PAN-OS version.
- __Detonate URL - Lastline v2__
Detonates a URL using the Lastline sandbox integration.
- __Akamai WAF - Activate Network Lists__
Activates network lists in Staging or Production on Akamai WAF. The playbook finishes running when the network list is active on the requested environment.
- __Detonate File - Lastline v2__
Detonates a file using the Lastline sandbox.

2 Improved Playbooks
- __Detonate URL - Generic__
Replaced the **Detonate URL - Lastline** sub-playbook with **Detonate URL - Lastline v2**.
- __Detonate File - Generic__
Replaced the **Detonate File - Lastline** sub-playbook with **Detonate File - Lastline v2**.

---
Incident Fields

New Incident Field
- __Target Firewall Version__
Version to install on the firewall for PAN-OS, for example: 9.0.5.
- ***panorama-install-panos-version***
- ***panorama-install-panos-status***
- ***panorama-device-reboot***

Demisto Content Release Notes for version 20.2.2 (40656)
Published on 09 February 2020

This is a patch release for Content Release 20.2.2.

7 Improved Integrations
- __Palo Alto Networks PAN-OS__
- Fixed an issue in the ***panorama-create-rule*** and ***panorama-create-block-rule*** commands.
- Added the *category* argument to the ***panorama-create-rule*** command.
- __Kenna V2__
You can supply a list for the *id*, *status*, and *top-priority* arguments in the following commands.
- ***kenna-search-assets***
- ***kenna-get-asset-vulnerabilities***
- ***kenna-search-fixes***
- ***kenna-search-vulnerabilities***
- __Microsoft Graph Mail__
Fixed an issue where not all items were retrieved from a mailbox.
- __QRadar__
Fixed an issue where the ***qradar-get-search-results*** and ***qradar-get-search*** commands ignored the *headers* argument.
- __Securonix__
Fixed an issue where the integration failed to fetch incidents.
- __Carbon Black Defense__:
- Added proper error messages for missing fetch parameters.
- Added a detailed description that describes how to retrieve the fetch parameters: SIEM Key and SIEM ID.
- __Netskope__
Fixed an issue in cases when the last time of the fetch was not updated correctly.
---
Playbooks

2 New Playbooks
- __PAN-OS EDL Setup v2__
- Configures an external dynamic list in PAN-OS.
- If the EDL file exists on the web server, it will sync to Demisto and create an EDL object with a matching rule.
- __PAN-OS - Create Or Edit EDL Rule__
Creates or edits a Panorama rule and moves it to the specified position.

2 Improved Playbooks
- __Block IOCs from CSV - External Dynamic List__
Fixed - the first condition was working only on some of the CSV files and some of them not.
- __PAN-OS - Block IP and URL - External Dynamic List__
- Fixed issue with task inputs.
- Added new sub-playbooks.

For more information about the release, see [20.2.0](https://github.com/demisto/content/releases/tag/20.2.0)

Demisto Content Release Notes for version 20.2.1 (40537)
---
Published on 6 February 2020
This is a hotfix release.
- Fixed an issue in the SearchIncidents script in which an error was raised when no incidents were found.

1 New Script
* **SearchIncidentsV2**:
Searches Demisto incidents.

Deprecated Script
* **SearchIncidents**:
Use the **SearchIncidentsV2** script instead.

Demisto Content Release Notes for version 20.2.0 (40231)
Published on 04 February 2020

Breaking Changes
Changed several indicator field names, which might cause backwards compatibility issues for mapping indicator fields.

Integrations

4 New Integrations
- __Devo v2__
Use the Devo v2 integration to query Devo for alerts, lookup tables, and to write to lookup tables.
- __CloudShark__
Use the CloudShark integration to upload, share, and collaborate on network packet capture files using your on-premises CS Enterprise system.
- __Palo Alto Networks - Prisma Cloud Compute__
Use the Prisma Cloud Compute integration to fetch incidents from your Prisma Cloud Compute environment.
- __Sixgill__
Use the Sixgill integration to fetch alerts as incidents. Sixgill provides alerts that are based on organization assets, enabling you to take proactive steps to eliminate and mitigate your threats.

14 Improved Integrations
- __Palo Alto Networks Cortex XDR - Investigation and Response__
- Fixed an issue where trailing whitespaces would effect outputs.
- Implemented the Cortex XDR API v2.
- Added 11 Traps commands.
- ***xdr-isolate-endpoint***
- ***xdr-unisolate-endpoint***
- ***xdr-get-endpoints***
- ***xdr-insert-parsed-alert***
- ***xdr-insert-cef-alerts***
- ***xdr-get-audit-management-logs***
- ***xdr-get-audit-agent-reports***
- ***xdr-get-distribution-versions***
- ***xdr-get-distribution-url***
- ***xdr-get-create-distribution-status***
- ***xdr-create-distribution***
- __Red Canary__
Fixed an issue with fetch-incidents in which detections were not properly fetched.
- __VulnDB__
Added the ***cve*** command, which returns CVE information.
- __Palo Alto Networks AutoFocus V2__
Added the ***autofocus-get-export-list-indicators*** command.
- __IBM QRadar__
Added immediate recovery for HTTP requests in case of connection error, which should help when QRadar SIEM is busy.
- __Microsoft Graph Mail__
Fixed an issue where the listing emails were not comparing the mail ID.
- __SplunkPy__
- The **Test** button now tests the fetch incidents function when the *Fetch incidents* option is selected.
- Fixed an issue in the *Splunk notable events ES query* parameter where the time parameter was not passed to the table in Splunk.
- __Rasterize__
- Added support for specifying advanced Chrome options.
- Improved rendering of large HTML files.
- __Mimecast__
Added the ***mimecast-update-policy*** command.
- __Demisto REST API__
Improved descriptions and fixed a typo.
- __Securonix__
- Added the *Host* parameter, which if supplied overrides the default hostname.
- Added 4 commands.
- ***securonix-create-incident***
- ***securonix-create-watchlist***
- ***securonix-check-entity-in-watchlist***
- ***securonix-add-entity-to-watchlist***
- __Atlassian Jira (v2)__
Fixed an issue in the ***jira-get-issue*** command where retrieving issue attachments failed.
- __dnstwist__
Fixed an issue with creating outputs for the ***dnstwist-domain-variations*** command.
- __Kafka V2__
Improved the description of the ***kafka-fetch-partitions*** command.

---
Scripts

7 New Scripts
- __IsInternalHostName__
Checks if the supplied hostnames match either the organization's internal naming convention or the domain suffix.
- __CreateIndicatorsFromSTIX__
Creates indicators from the submitted STIX file. Supports STIX 1.0 and STIX 2.0.
- __PrismaCloudComputeParseAuditAlert__
Parses raw JSON data for Audit alerts.
- __PrismaCloudComputeParseComplianceAlert__
Parses raw JSON data for Compliance alerts.
- __PrismaCloudComputeParseVulnerabilityAlert__
Parses raw JSON data for Vulnerability alerts.
- __PrismaCloudComputeParseCloudDiscoveryAlert__
Parses raw JSON data for Cloud Discovery alerts.
- __YaraScan__
Performs a Yara scan on the supplied files.

6 Improved Scripts
- __SaneDocReports__
Fixed an issue where, in rare cases, investigation reports crashed.
- __UnzipFile__
Fixed an issue where the script returned the file metadata instead of the file contents.
- __ReadPDFFileV2__
Fixed an issue where the script failed for some PDF files with the error: *Syntax Error: Invalid object stream Internal Error: xref num 2245 not found but needed, try to reconstruct<0a>*.
- __ParseEmailFiles__
Added handling for EML files with no Content-Type header. The script will treat the file as email text with no attachments.
- __CommonServerPython__
Added the ***ip_to_indicator_type*** command.
- __XDRSyncScript__
Updated outputs and added additional alert outputs.

---
Playbooks

10 New Playbooks
- \*__SANS - Incident Handler's Handbook Template__
This playbook contains the phases for handling an incident as they are described in the [SANS Institute Incident Handler's Handbook](https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 ) by Patrick Kral.\*
- \*__SANS - Incident Handlers Checklist__
This playbook follows the "Incident Handler's Checklist" described in the [SANS Institute Incident Handler's Handbook](https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 ) by Patrick Kral.
- \*__SANS - Lessons Learned__
This playbook assists in post-processing an incident and facilitates the lessons learned stage, as presented by [SANS Institute Incident Handler's Handbook](https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 ) by Patrick Kral.
- __Wait Until Datetime__
Pauses execution until the date and time that was specified in the playbook input is reached.
- __Prisma Cloud Compute - Cloud Discovery Alert__
The default playbook for parsing Prisma Cloud Compute Cloud Discovery alerts.
- __Prisma Cloud Compute - Vulnerability Alert__
Default playbook for parsing Prisma Cloud Compute vulnerability alerts.
- __Prisma Cloud Compute - Audit Alert__
Default playbook for parsing Prisma Cloud Compute audit alerts.
- __Splunk Indicator Hunting__
Queries Splunk for indicators such as file hashes, IP addresses, domains, or URLs. It outputs detected users, IP addresses, and hostnames related to the indicators.
- __Sixgill - DarkFeed - Indicators__
Extracts a STIX bundle and then uses the **StixParser** automation to parse and push indicators to Demisto.
- __Prisma Cloud Compute - Compliance Alert__
The default playbook for parsing Prisma Cloud Compute compliance alerts.

\* ***Disclaimer***: The SANS playbooks do not ensure compliance with SANS regulations.

3 Improved Playbooks
- __PANW - Hunting and threat detection by indicator type V2__
Fixed missing task link.
- __IT - Employee Offboarding__
Added functionality that enables offboarding employees on a future date.
- __IT - Employee Offboarding - Manual__
Added functionality that enables offboarding employees on a future date (manually).

---
Incident Fields
- __Offboarding Date__
The date and time when the employee offboarding process should begin.
This incident field is associated to the new **AWS EC2 Instance Misconfiguration** incident type.

---
Incident Layouts

6 New Incident Layouts
- __AWS EC2 Instance Misconfiguration - Summary__
- __Sixgill Threat - Summary__
- __Prisma Cloud Compute Audit - Summary__
- __Prisma Cloud Compute Compliance - Summary__
- __Prisma Cloud Compute Cloud Discovery - Summary__
- __Prisma Cloud Compute Vulnerability - Summary__

2 Improved Incident Layouts
- __Employee Offboarding - Summary__
Added a field for the date and time when the offboarding process began.
- __Employee Offboarding - New/Edit__
Added an option to select a future date and time at which to begin employee offboarding.

---
Classification & Mapping

3 Improved Classification & Mapping
- __RedLock__
Added classification to the **AWS EC2 Instance Misconfiguration** incident type.
- __Cortex XDR - IR__
Added the *host_count* field to the mapping of the Cortex XDR integration, with the incident type **Cortex XDR Incident**. (Available from Demisto v5.0)
- __prismaCloud_app__
Added classification to the **AWS EC2 Instance Misconfiguration** incident type.

---