Demisto-py

Demisto Content Release Notes for version 20.1.2 (38873)
Published on 21 January 2020
Integrations

5 New Integrations
- __Securonix__
Use the Securonix integration to manage incidents and watchlists.
- __Digital Defense Frontline VM__
Use the Digital Defense Frontline VM to identify and evaluate the security and business risks of network devices and applications deployed as premise, cloud, or hybrid network-based implementations.
- __BPA__
Use the Palo Alto Networks Best Practice Assessment (BPA) integration to analyze NGFW and Panorama configurations and compare them to the best practices.
- __Google Cloud Translate__
Use the Google Cloud Translate integration to translate text to supported languages.
- __Kenna v2__
Use the Kenna v2 integration to search and update vulnerabilities, schedule a run connector, and manage tags and attributes.

12 Improved Integrations
- __Active Directory Query v2__
Added 2 commands.
- ***ad-create-group***
- ***ad-delete-group***
- __SplunkPy__
Added the ***splunk-submit-event-hec*** command.
- __Atlassian Jira (v2)__
- Fixed the description of the *reporter* argument in the ***jira-create-issue*** command.
- Fixed an issue where an error was raised when trying to fetch incidents and the *idOffset* was not configured.
- __Palo Alto Networks MineMeld__
Added the *type* argument, which specifies the indicator type, to the following commands.
- ***minemeld-add-to-miner***
- ***minemeld-remove-from-miner***
- __Microsoft Graph Mail__
Added support to authenticate using a self-deployed Azure application.
- __IntSights__
- Improved logging for fetch_incidents.
- Improved error handling.
- __AttackIQ Platform__
Added 4 commands.
- ***attackiq-list-assessment-templates***
- ***attackiq-list-assets***
- ***attackiq-create-assessment***
- ***attackiq-add-assets-to-assessment***
- __Palo Alto Networks Traps__
Fixed an issue where running a scan on an endpoint failed but the War Room entry displayed a success message.
- __IBM QRadar__
Added the *Full Incident Enrichment* instance parameter. Clear this checkbox to disable QRadar offense enrichment performed in fetch-incidents. This might help if you encounter a timeout while fetching new incidents.
- __Palo Alto Networks PAN-OS__
Fixed an issue where trying to download a filter-pcap with the necessary arguments did not return the correct results.
- __Microsoft Teams__
- Added the ability to mention users in the ***send-notification*** command.
- Added 2 commands.
- ***add-user-to-channel***
- ***create-channel***
- __Microsoft Graph Mail Single User__
Added support to authenticate using a self-deployed Azure application.

1 Deprecated Integration
- __Kenna__
Use the Kenna v2 integration instead.

---
Scripts

3 New Scripts
- __SetAndHandleEmpty__
Checks if a specified item was returned in the search results. If the item was returned, they are set in Context. Otherwise, no value is set.
- __GetValuesOfMultipleFields__
Receives a list of fields and a context key base path. For example, Key=demisto.result List=username,user and will get all of the values from demisto.result.username and demisto.result.user. The *Get* field of the task must have the value ${.=[]}.
- __MicrosoftApiModule__
Common Microsoft code that will be appended into each Microsoft integration when it's deployed.

6 Improved Scripts
- __FindSimilarIncidents__
Shortened the query time range to improve index usage.
- __IsIPInRanges__
Added two non-routable IP address ranges.
- 127.0.0.0/8 (localhost)
- 169.254.0.0(apipa)
- __DBotTrainTextClassifierV2__
Added error messages for cases when the total number of incidents is less than the default threshold.
- __DBotPredictPhishingWords__
Added the *emailBodyHTML* argument, which enables you to pass the raw HTML of the email body.
- __SetIfEmpty__
- Added support for unicode default values.
- Consider "None" string as empty.
- __PositiveDetectionsVSDetectionEngines__
Fixed an issue where the script displayed error messages when required fields were not supplied.

---
Playbooks

8 New Playbooks
- __QRadar Indicator Hunting V2__
Queries QRadar SIEM for indicators such as file hashes, IP addresses, domains, and URLs.
- __Digital Defense FrontlineVM - Scan Asset Not Recently Scanned__
Pulls the IP address from the details value of an incident and checks if that asset has been scanned within the past 60 days. If not, then it will prompt to perform a scan on the asset.
- __Run Panorama Best Practice Assessment__
Runs Palo Alto Best Practice Assessment checks for a Panorama instance.
- __Digital Defense FrontlineVM - PAN-OS block assets__
Pulls Panorama queried threat logs and checks for any correlating assets that are found to have a minimum number of high level vulnerabilities. If so, it will block the the IP address using the Panorama PAN-OS - Block IP and URL - External Dynamic List playbook.
- __Prisma Cloud Remediation - AWS EC2 Security Group Misconfiguration__
Remediates the Prisma Cloud AWS EC2 alerts generated by the following policies.
- AWS Default Security Group Does Not Restrict All Traffic.
- AWS Security Groups Allow Internet Traffic.
- AWS Security Groups With Inbound Rule Overly Permissive To All Traffic.
- __PANW - Hunting and threat detection by indicator type V2__
This is a multipurpose playbook used for hunting and threat detection. The playbook receives inputs based on hashes, IP addresses, or domain names. The inputs can be provided manually or taken from the outputs of other playbooks.
The playbook leverages Palo Alto Cortex data received by products such as Traps, Analytics, and Pan-OS to search for IP addresses and hosts related to that specific hash. The playbook output facilitates pivoting searches for possibly affected hosts, IP addresses, or users.
- __Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration__
Remediates Prisma Cloud AWS EC2 alerts and utilizes a number of sub-playbooks that manage EC2 policies.

- __Digital Defense FrontlineVM - Old Vulnerabilities Found__
Queries the Frontline.Cloud active view for any critical vulnerabilities found that are older than 90 days.

4 Improved Playbooks
- __PAN-OS - Block IP and URL - External Dynamic List__
Fixed an issue with EDL refresh for Panorama.
- __Phishing Investigation - Generic v2__
Added tasks that predict the phishing incident verdict when a phishing ML model exists. The verdict refers to the phishing category.
- __PAN-OS - Block Domain - External Dynamic List__
Fixed an issue with EDL refresh for Panorama.
- __Intezer - scan host__
Removed role requirements.

2 Deprecated Playbooks
- __PANW - Hunting and threat detection by indicator type__
Use the **PANW - Hunting and threat detection by indicator type V2** playbook instead.
- __QRadar Indicator Hunting__
Use the **QRadar Indicator Hunting V2** playbook instead.

---
Incident Fields
- __DBotTextSuggestionHighlighted__
Indicates the words in the text that contributed to the decision made by the ML model.
- __DBotPrediction__
The phishing sub-type verdict that was predicted by the ML model.
- __DBotPredictionProbability__
The confidence level, presented as a value between 0 and 1, of the predicted phishing sub-type verdict by the machine-learning model. Associated to the *AWS IAM Policy Misconfiguration* incident type.


---
Incident Layouts

New Incident Layouts
- __AWS IAM Policy Misconfiguration - Summary__
Associated to the *AWS IAM Policy Misconfiguration* incident type.

Improved Incident Layouts
- __Phishing - Summary__
Added the Machine Learning prediction section.

---
Classification & Mapping

2 Improved Classification & Mapping
- __prismaCloud_app__
Added classification to the *AWS IAM Policy Misconfiguration* incident type.
- __RedLock__
Added classification to the *AWS IAM Policy Misconfiguration* incident type.

Demisto Content Release Notes for version 20.1.1 (38457)
Published on 16 January 2020
This is a hotfix release for Demisto v5.0.1 deployments.
* The fix ensures that the IP indicator is installed properly.
For more information, see [Demisto Content Release version v20.1.0](https://github.com/demisto/content/releases/tag/20.1.0).

Demisto Content Release Notes for version 20.1.0 (37812)
Published on 07 January 2020
*Notice*: Breaking Change
This content update renames the incident field **Account** to **Account Name**. This change affects backward compatibility if the field was already implemented in custom content artifacts.
Integrations

12 Improved Integrations
- __Palo Alto Networks AutoFocus V2__
Improved error handling for the reputation commands.
- ***ip***
- ***domain***
- ***file***
- ***url***
- __Palo Alto Networks PAN-OS__
- Fixed an issue when trying to download a threat-pcap without the required arguments.
- Improved the error message when trying to download PCAPs from a Panorama instance.
- You can now specify multiple values (list) for the *source*, *destination*, and *application* arguments in the following commands.
- ***panorama-create-rule***
- ***panorama-custom-block-rule***
- ***panorama-edit-rule***
- Added 4 commands.
- ***panorama-list-static-routes***
- ***panorama-get-static-route***
- ***panorama-add-static-route***
- ***panorama-delete-static-route***
- Fixed an issue in the ***panorama-list-pcaps*** command when there are no PCAPs in PAN-OS.
- __SplunkPy__
Fixed an issue with access to a non-existing key when fetching non-ES events.
- __Carbon Black Enterprise Response__
Added the *Maximum number of incidents to fetch* parameter, which specifies the maximum number of incidents to create per fetch.
- __Cybereason__
Fixed an issue where the ***cybereason-query-file*** command did not pull specific hashes.
- __Zendesk__
Added the *check_if_user_exists* argument to the ***zendesk-add-user*** command, which checks if the user already exists in the system. If set to "True" and the user exists, an error is thrown.
- __IBM QRadar__
Fixed an issue with ***fetch-incidents*** that truncated the incident name when the description included new lines (line breaks).
- __Gmail__
- You can now run the following commands against user accounts when you have admin credentials.
- ***gmail-delegate-user-mailbox***
- ***gmail-set-autoreply***
- __ThreatQ v2__
- Added the ***threatq-advanced-search*** command, which runs an advanced indicator search.
- Added TLP values to indicator outputs.
- __Google Vault__
Added support for group email (in addition to accountID) for the ***gvault-create-hold*** command.
- __EWS Mail Sender__
Fixed an issue with email subject unicode for the ***send-mail*** command.
- __Palo Alto Networks WildFire v2__
Fixed an issue WHERE the ***wildfire-report*** command did not return outputs for non-malicious URLs.

---
Scripts

3 New Scripts
- __ProductJoin__
This script takes two lists, joined by a separator, and returns a list of strings.
- __DemistoVersion__
Returns the Demisto server version.
- __DockerHardeningCheck__
Checks if the Docker container running this script has been hardened according to the recommended settings. For more information, see the [Docker Hardening Guide](https://support.demisto.com/hc/en-us/articles/360040922194).

6 Improved Scripts
- __ConvertFile__
Fixed an issue where child processes were defunct after converting PDF files to HTML.
- __StixParser__
Removed ***firstSeen*** as qualifier for STIX 2 object.
- __SetIfEmpty__
Fixed an issue where the transformer would fail when applied to a number field.
- __Set__
Added the *stringify* argument, which enables you to save numbers as strings.
- __RepopulateFiles__
Fixed an issue in which the script took all of the last entries and not only the attachments. This resulted in reaching the page limit of 1,000 entries and causing suboptimal performance.
- __CommonServerPython__
- Added the ***argToBoolean*** command, which accepts an input value of type string or boolean and converts it to boolean.
- Added the ***batch*** command, which accepts an iterable and specifies how many items to return, and yields batches of that size.

---
Playbooks

8 New Playbooks
- __PAN-OS - Delete Static Routes__
This playbook deletes a PAN-OS static route from the PAN-OS instance.
- __PAN-OS - Add Static Routes__
This playbook accepts a PAN-OS static route configuration and creates it in the PAN-OS instance.
- __Employee Offboarding - Gather User Information__
This playbook gathers user information as part of the IT - Employee Offboarding.
- __Employee Offboarding -Delegate__
This playbook delegates user resources and permissions as part of the IT - Employee Offboarding playbook.
- __Employee Offboarding - Revoke Permissions__
This playbook revokes user permissions as part of the IT - Employee Offboarding.
- __Employee Offboarding - Retain & Delete__
This playbook performs retention and deletion of user information as part of the IT - Employee Offboarding playbook.
- __IT - Employee Offboarding__
This playbook offboards company employees to maintain organizational security.
- __IT - Employee Offboarding - Manual__
This playbook provides a manual alternative to the IT - Employee Offboarding playbook.

2 Improved Playbooks
- __Convert file hash to corresponding hashes__
- Fixed an issue in which converting a file hash to corresponding hashes failed.
- Streamlined playbook structure by removing set tasks.
- __Active Directory - Get User Manager Details__
Fixed an issue where the display name of the original user was returned in addition to the manager's display name.

---
Incident Fields
Replaced the *Account* field with the *Account Name* field.

**Note**: This will affect backward compatibility if the field was already implemented in any content artifacts.

New 20 Incident Fields
- __Active Directory - Account Status__
- __Active Directory - Display Name__
- __Active Directory - Password Status__
- __Company Property Status__
- __GSuite - Device Account Status__
- __Google Account Status__
- __Google Admin Roles Status__
- __Google Display Name__
- __Google Drive Status__
- __Google Mail Status__
- __Google Password Status__
- __Duo Account Status__
- __Email Auto Reply__
- __Mailbox Delegation__
- __Employee Display Name__
- __Employee Email__
- __Employee Manager Email__
- __Global Directory Visibility__
- __Offboarding Stage__
- __Okta Account Status__

---
Incident Layouts

New 2 Incident Layouts
- __Employee Offboarding - Details__
- __Employee Offboarding - New__

Improved Incident Layout
- __Prisma Cloud - Summary__
Replaced the *Account* field with the *Account Name* field.

---
Incident Types

New Incident Type
- __Employee Offboarding__

---
Classification & Mapping

2 Improved Classification & Mapping
- __prismaCloud_app__
Replaced the *Account* field with the *Account Name* field.
- __RedLock__
Replaced the *Account* field with the *Account Name* field.

Demisto Content Release Notes for version 19.12.1 (36874)
Published on 25 December 2019
Integrations
9 New Integrations
- __Microsoft Graph Calendar__
Use the Microsoft Graph Calendar integration to create and manage different calendars and events according to your requirements.
- __Lockpath KeyLight v2__
Use the LockPath KeyLight integration to manage GRC tickets in the Keylight platform.
- __Flashpoint__
Use the Flashpoint integration to reduce business risk.
- __Infoblox__
Use the Infoblox integration to to receive metadata about IPs in your network, and manage the DNS Firewall by configuring RPZs.
- __PhishLabs IOC DRP__
Use the PhishLabs IOC DRP integration to retrieve live feeds of Digital Risk Protection from PhishLabs.
- __McAfee DXL__
Use the McAfee DXL integration to enable different products to communicate via a standard API.
- __SecBI__
Use the SecBI integration, a threat, intelligence, and investigation platform, to enable automation of detection and investigation, including remediation and prevention policy, the enforcements on all integrated appliances.
- __Akamai WAF SIEM__
Use the Akamai WAF SIEM integration to retrieve security events from Akamai Web Application Firewall (WAF) service.
- __OpenLDAP (Beta)__
Use the OpenLDAP (Beta) integration to authenticate using Open LDAP.
27 Improved Integrations
- __Palo Alto Networks Cortex__
Fixed an issue with the fetch incidents function in which failed jobs raised an exception.
- __Microsoft Graph User__
Added content-version and content-name headers to Oproxy request.
- __Microsoft Graph Mail__
Added content-version and content-name headers to Oproxy request.
- __Cofense Triage__
Fixed an issue with test module.
- __Joe Security__
Fixed an issue in the ***joe-analysis-submit-sample*** command where the system field output returned duplicates.
- __Microsoft Graph Groups__
Added content-version and content-name headers to Oproxy request.
- __IBM QRadar__
Fixed an issue in which the ***qradar-get-assets*** command failed when a user supplied a value for the *fields* parameter.
- __LogRhythm__
The ***lr-execute-query*** command now works as expected.
- __PhishLabs IOC EIR__
- Added the *period* argument to the ***phishlabs-ioc-eir-get-incidents*** command, which defines the time range for which to return incidents.
- Improved implementation of the fetch incidents functionality.
- Improved the integration documentation.
- Changed the display name to **PhishLabs IOC EIR**.
- __Palo Alto Networks AutoFocus V2__
Added 4 reputation commands.
- ***ip***
- ***domain***
- ***file***
- ***url***
- __SplunkPy__
Enhanced the execution speed of the ***splunk-search*** command.
- __Azure Security Center v2__
Added content-version and content-name headers to Oproxy request.
- __Carbon Black Enterprise Live Response__
- Deprecated the ***cb-memdeump*** command. Use the ***cb-memdump*** command instead.
- Fixed an issue where the ***cb-memdeump*** did not initiate a memory dump on the server endpoint.
- __Azure Compute v2__
Added content-version and content-name headers to Oproxy request.
- __Mimecast__
- Added 9 commands.
- ***mimecast-find-groups***
- ***mimecast-get-group-members***
- ***mimecast-add-group-member***
- ***mimecast-remove-group-member***
- ***mmimecast-create-group***
- ***mimecast-update-group***
- ***mimecast-create-remediation-incident***
- ***mimecast-get-remediation-incident***
- ***mimecast-search-file-hash***
- Fixed an issue with instance SSL configuration.
- __IntSights__
Fixed an issue with the *is-hidden* and the *rate* arguments in the ***intsights-close-alert*** command.
- __Tanium v2__
Fixed an issue where the ***tn-get-question-result*** command returned empty results.
- __RSA Archer__
Fixed an issue where reports generated from the **GenerateInvestigationReport** script failed to upload to RSA Archer.
- __Active Directory Query v2__
Fixed a typo in the name of the **custom-field-data** argument.
- __Gmail__
- Added a new command.
- ***gmail-get-role***
- Improved the outputs for the following commands.
- ***gmail-get-user-roles***
- ***gmail-list-filters***
- ***gmail-add-filter***
- __EWS v2__
Fixed an issue where threads did not close after executing commands.
- __EWS Mail Sender__
Improved performance and functionality.
- __Microsoft Graph Security__
Added content-version and content-name headers to Oproxy request.
- __RSA NetWitness v11.1__
Fixed an issue where the environment proxy affected the integration, when no proxy should be used.
- __CrowdStrike Falcon__
- Added the following real-time response API commands.
- ***cs-falcon-run-command***
- ***cs-falcon-upload-script***
- ***cs-falcon-get-script***
- ***cs-falcon-delete-script***
- ***cs-falcon-list-scripts***
- ***cs-falcon-upload-file***
- ***cs-falcon-delete-file***
- ***cs-falcon-get-file***
- ***cs-falcon-list-files***
- ***cs-falcon-run-script***
- Added the *email* argument to the ***cs-falcon-resolve-detection*** command, which can be used instead of the *ids* argument.
- __Rasterize__
Fixed an issue with the ***rasterize*** command in which child processes were defunct.
- __Windows Defender Advanced Threat Protection__
Added content-version and content-name headers to Oproxy request.
2 Deprecated Integrations
- __Intezer__
Use the Intezer v2 integration instead.
- __Lockpath Keylight__
Use the Lockpath Keylight v2 integration instead.
---
Scripts
4 New Scripts
- __RegexExtractAll__
- Extracts all matches from a specified regular expression pattern from a provided string. Returns an array of results and
all matches of a specified pattern, not just specific groups. Useful for extraction, using a pattern where the content of the source string is indeterminate, such as extracting all email addresses. The 'regex' library is used and supports more advanced regex functionality than the standard 're' library.
- The following arguments have been added.
- The *convenience* argument, which enhances usability, multi-line, ignore_case, and period_matches_newline.
* The *error_if_no_match* argument. The script will not throw an error if a match is not found. If it does not use a transformer within a playbook, you might want to throw an error if the expression doesn't match.
- __GetMLModelEvaluation__
Finds a threshold for the ML model and performs an evaluation based on it.
- __PrettyPrint__
Pretty-print data using Python's pprint library. This is useful for seeing the structure of an incident and context data.
- __KeylightCreateIssue__
Use this script to simplify the process of creating or updating a record in Keylight v2.
11 Improved Scripts
- __IPv4Blacklist__
- Improved script implementation.
- Breaking changes: updated Docker image.
- __DBotPredictPhishingWords__
- Added support for text highlighting.
- Added support for minimum text-length argument.
- Added an argument, when there is prediction, not to return an error.
- __GetTime__
Fixed an issue where providing a date input from context returned the current date instead of the provided date.
- __IPv4Whitelist__
- Improved script implementation.
- Breaking changes: updated Docker image.
- __UnzipFile__
The file size (in bytes) is returned as expected.
- __SaneDocReports__
- Fixed an issue where the line chart x-axis was not readable.
- Fixed an issue with the graph width.
- __IsRFC1918Address__
- Improved script implementation.
- Breaking changes: updated the script Docker image.
- __IsNotInCidrRanges__
- Improved script implementation.
- Breaking changes: updated the script Docker image.
- __DBotTrainTextClassifierV2__
Added new evaluation methodology and metrics to the logic of the trained model.
- __IsInCidrRanges__
- Improved script implementation.
- Breaking changes: updated the script Docker image.
- __ParseEmailFiles__
Added handling for cases where an attachment has neither the *DisplayName* nor the *AttachFilename* properties.

---
Playbooks
5 New Playbooks
- __CVE Enrichment - Generic v2__
Performs CVE Enrichment using the following integrations.
- VulnDB
- CVE Search
- IBM X-Force Exchange
- __Active Directory - Get User Manager Details__
Takes an email address or a username of a user account in an Active Directory, and returns the email address of the user's manager.
- __PANW - Hunting and threat detection by indicator type__
This is a multipurpose playbook used for hunting and threat detection. The playbook receives inputs based on file hashes, IP addresses, or domain names provided manually or taken from outputs of other playbooks.
- __Block IOCs from CSV - External Dynamic List__
Parses a CSV file with IOCs and blocks them using Palo Alto Networks External Dynamic Lists.
- __QRadar Indicator Hunting__
Queries QRadar SIEM for indicators, such as file hashes, IP addresses, domains, and URLs.
14 Improved Playbooks
- __Endpoint Malware Investigation - Generic__
Added new playbook inputs.
- __Intezer - Analyze by hash__
Fixed an issue where the playbook finished before the analysis was completed.
- __PAN-OS - Block URL - Custom URL Category__
Added new playbook inputs.
- __DBot Create Phishing Classifier V2__
Updated evaluation metrics of the trained model.
- __Intezer - Analyze Uploaded file__
Fixed an issue where the playbook finished before the analysis was completed.
- __PAN-OS EDL Setup__
Rule position is no longer mandatory, the default position was changed to **Top**.
- __Palo Alto Networks - Endpoint Malware Investigation__
- Added the new sub-playbook **PANW - Hunting and threat detection by indicator type**.
- Added new playbook inputs.
- __PAN-OS - Block IP and URL - External Dynamic List__
- Fixed an issue with EDL refresh for Panorama.
- Added new playbook inputs.
- __PAN-OS - Create Or Edit Rule__
Rule position is no longer mandatory, and the default position was changed to **Bottom**.
- __PAN-OS DAG Configuration__
Rule position is no longer mandatory, and the default position was changed to **Top**.
- __Access Investigation - Generic - NIST__
- Fixed inputs for **IP Enrichment - Generic v2**.
- Removed the *Change severity* task.
- __Block IP - Generic v2__
Added playbook inputs to establish the PAN-OS remediation path.
- __Palo Alto Networks - Malware Remediation__
Added the new sub-playbook **PAN-OS - Block Domain - External Dynamic List**.
- __PAN-OS - Block Domain - External Dynamic List__
- Fixed an issue with EDL refresh for Panorama.
- Added new playbook inputs.

Demisto Content Release Notes for version 19.12.0 (35835)
Published on 10 December 2019
Integrations

5 New Integrations
- __Accessdata__
Use the Accessdata integration to protect against and provide additional visibility into phishing and other malicious email attacks.
- __IronDefense__
Use the IronDefense Integration to rate alerts, update alert statuses, add comments to alerts, and to report observed bad activity.
- __Microsoft Graph Groups__
Use the Microsoft Graph Groups integration to create and manage different types of groups and group functionality.
- __Gmail Single User (Beta)__
Use the Gmail Single User integration to send and receive emails from a single user's mailbox. Authentication is performed using OAuth 2.0 protocol.
- __Blue Coat Content and Malware Analysis (Beta)__
Blue Coat Content and Malware Analysis.

22 Improved Integrations
- __MISP V2__
You can now filter an event by attribute data fields.
- __Alexa Rank Indicator__
- Added fallback for when the default endpoint is inaccessible.
- Added support for connection from a proxy.
- Updated DBotScore outputs.
- __CrowdStrike Falcon Sandbox__
The ***crowdstrike-submit-sample*** command now works as expected.
- __PhishLabs IOC EIR v2__
Changed the display name to **PhishLabs EIR v2**.
- __Microsoft Graph User__
Fixed an issue where the ***msgraph-user-create*** command did not work if the optional argument *other_properties* was not supplied. You can now run this command without supplying the *other_properties* argument.
- __RSA Archer__
- Fixed an issue when retrieving app IDs for applications with reverse field mapping.
- Added support for multiselect fields in the following commands.
- ***archer-create-record***
- ***archer-update-record***
- Added support for specifying users in type 8 fields in the following commands.
- ***archer-create-record***
- ***archer-update-record***
- __WhatIsMyBrowser__
Added support for the *extend-context* argument in the ***ua-parse*** command.
- __LogRhythm__
Fixed an issue with an error message in the ***lr-get-alarms*** command.
- __Palo Alto Networks PAN-OS EDL Management__
- Updated the detailed description.
- Fixed an issue where the ***pan-os-edl-update*** command failed when the file path included space characters at *scp_execute()*.
- Fixed an issue where the *ssh_execute()* function failed when the file name included space characters.
- Added the following commands.
- ***pan-os-edl-update-internal-list***
- ***pan-os-edl-update-external-file***
- __VirusTotal__
- Added batch support for the reputation commands (**ip**, **url**, and **domain**).
- Fixed an issue where the DBotScore would create duplications in the incident context. This effects Demisto v5.5 and later.
- __Symantec Managed Security Services__
You can now use special characters in comments when running the ***symantec-mss-update-incident*** command.
- __Atlassian Jira (v2)__
Improved support for the following authentication methods. (Requires Demisto v5.0)
- Basic
- OAuth 1.0
- __Exabeam__
- Improved error handling.
- Added the prefix *exabeam-* to all commands.
- Added 2 new commands.
- ***exabeam-delete-watchlist***
- ***exabeam-get-asset-data***
- __FireEye HX__
Fixed an issue where ***fireeye-hx-file-acquisition*** command would fail on a timeout.
- __Anomali ThreatStream v2__
- The ***threatstream-import-indicator-with-approval*** command now works as expected.
- Added support for comma-separated values in reputation commands (***ip***, ***file***, ***domain***, and ***url***).
- __Palo Alto Networks PAN-OS__
- Fixed an issue where the status log queries that returned zero results did not update to *Completed*.
- Added 2 commands.
- ***panorama-get-url-category-from-cloud***
- ***panorama-get-url-category-from-host***
- Added support to get, create, and edit custom URL category objects, including using the categories attribute in PAN-OS v9.x and above.
- __EWS Mail Sender__
Fixed issue where threads not closed after executing the command.
- __Active Directory Query v2__
Improved handling of error messages.
- __PhishLabs IOC EIR__
Changed the display name to **Phishlabs IOC EIR**.
- __Microsoft Graph Mail__
Added 7 new commands.
- ***msgraph-mail-list-folders***
- ***msgraph-mail-list-child-folders***
- ***msgraph-mail-create-folder***
- ***msgraph-mail-update-folder***
- ***msgraph-mail-delete-folder***
- ***msgraph-mail-move-email***
- ***msgraph-mail-get-email-as-eml***
- __Slack v2__
- Fixed an issue where mirrored investigations contained mismatched user names.
- Added reporter and reporter email as labels to incidents that are created by direct messages.
- __CrowdStrike Falcon__
Fixed an issue with ***fetch incidents***, which caused incident duplication.

Deprecated Integration
- __Phishme Intelligence__
Use the Cofense Intelligence integration instead.

---
Scripts

5 New Scripts
- __AccessdataCheckProcessExistsInSnapshot__
Reads the contents of the processes list XML file from context and checks if the given process exists in the process list.
- __GetEWSFolder__
Retrieves emails from multiple folders of an account in a single batch.
- __ExportMLModel__
Exports an existing machine learning (ML) model to a file.
- __ImportMLModel__
Imports a file that contains a machine learning (ML) model.
- __ConvertAllExcept__
Converts all selected values but exceptions.

9 Improved Scripts
- __ReadPDFFileV2__
- Added support for processing PDF files that generate a warning.
- Fixed an issue with URL extraction from PDF files.
- __ParseEmailFiles__
Fixed an issue with handling smime signed files with no attachments.
- __CheckEmailAuthenticity__
- Fixed an issue where the script did not properly determine the authenticity of some emails.
- Fixed an issue where DKIM Signing-Domain was not identified.
- __ZipFile__
Fixed an issue where output values did not match the output paths.
- __QRadarGetOffenseCorrelations__
Added support for different CRE name default values.
- __UnzipFile__
Fixed an issue where supplying a wrong password would still upload a file to the War Room.
- __UnEscapeURLs__
Fixed an issue where special characters in URLs were parsed incorrectly.
- __ProofpointDecodeURL__
Deprecated. Changed to call *UnEscapeURLs*.
- __QRadarGetCorrelationLogs__
Added support for different CRE name default values.

---
Playbooks

3 New Playbooks
- __PAN-OS Query Logs For Indicators__
This playbook queries the following PAN-OS log types: traffic, threat, url, data-filtering and wildfire. The playbook accepts inputs such as IP, hash, and url.
- __Get Mails By Folder Pathes__
This playbook retreives emails from specified folders and executes pre-processing using EWS.
- __Accessdata: Dump memory for malicious process__
Use this playbook as a sub-playbook to dump memory if a given process is running on a legacy AD agent.

2 Improved Playbooks
- __PAN-OS Commit Configuration__
Removed PA-VM as the firewall identifier and changed the condition to *else*.
- __PhishingDemo-Onboarding__
The playbook now uses the updated File output context path of the **extractIndicators** command.

---
Reports

Improved Report
- __Critical and High incidents__
Table column names are now capitalized.

---
Classification & Mapping

New Classification & Mapping
- __Gmail Single User__
Gmail Single User integration now supports the OAuth 2.0 protocol.

2 Improved Classification & Mapping
- __RedLock__
Updated the classifier with a new transformer.
- __prismaCloud_app__
Updated the classifier with a new transformer.

Demisto Content Release Notes for version 19.11.1 (34712)
Published on 26 November 2019
Integrations

7 New Integrations
- __Azure Security Center v2__
Unified security management and advanced threat protection across hybrid cloud workloads.
- __JsonWhoIs__
Provides data enrichment for domains and IP addresses.
- __Microsoft Graph Mail Single User__
Microsoft Graph allows Demisto authorized access to a user's Outlook mail data in a personal or organization account.
- __PhishLabs IOC EIR__
Get live feeds of IOC data from PhishLabs.
- __Tanium v2__
Tanium endpoint security and systems management.
- __Azure Compute v2__
Create and manage Azure VMs.
- __FireEye Helix__
FireEye Helix is a security operations platform that integrates security tools and augments them with next-generation SIEM, orchestration and threat intelligence tools such as alert management, search, analysis, investigations and reporting.

25 Improved Integrations
- __EWS v2__
- Improved logging.
- Added the *Max incidents per fetch* parameter, which specifies the maximum number of incidents to retrieve per fetch. The maximum is 50.
- __Microsoft Graph User__
Added pagination to the ***msgraph-user-list*** command.
- __Red Canary__
Added the *Reason*, *EndpointID*, and *EndpointUserID* keys to detections context.
- __Hybrid Analysis__
- Added the *jobID*, *sha256* and *environmentID* arguments to the ***hybrid-analysis-get-report-status*** command.
- Added the *malicious_threat_levels* argument to the ***hybrid-analysis-detonate-file*** command.
- The ***hybrid-analysis-detonate-file*** command now works as expected.
- __RSA Archer__
Fixed an issue with the presentation of user display names.
- __Carbon Black Enterprise Response__
Added the ***cb-binary-download*** command, which replaces the deprecated ***cb-binary-get*** command.
- __ArcSight ESM v2__
Fixed an issue with the response encoding.
- __Anomali ThreatStream v2__
Fixed an issue with DBotScore context data.
- __SentinelOne V2__
Fixed an issue in the ***Fetch incidents*** function.
- __Palo Alto Networks PAN-OS__
- Added support for a list of *job_id* in the ***panorama-query-logs*** and ***panorama-check-logs-status*** commands.
- Added the *ip* argument in the ***panorama-query-logs*** command.
- __IBM QRadar__
Fixed an issue in outputs for the ***get-search-results*** command.
- __Tenable.io__
Fixed an issue in the ***tenable-io-get-vulnerabilities-by-asset*** command.
- __Palo Alto Networks WildFire v2__
- Added validation to the **server** parameter.
- Fixed an issue with DBotScore context data.
- __RSA NetWitness Packets and Logs__
Fixed an issue in query parsing.
- __MISP V2__
Added support to search events by tags using the logical operators AND, OR, and NOT.
- __Stealthwatch Cloud__
Fixed an issue where incidents were fetched multiple times.
- __Slack v2__
- Added Slack API rate limit call handling.
- Added an optional parameter to specify a proxy URL to use with the Slack API.
- __McAfee Advanced Threat Defense__
Fixed an issue with the integration's proxy settings.
- __Proofpoint TAP v2__
- Fixed the **fetch-incidents** function, which did not fetch duplicate values.
- Added the ***proofpoint-get-forensics*** command.
- Added context outputs for the ***proofpoint-get-events*** command.
- __SumoLogic__
- Added the *fetchDelay* parameter, which defines the time between ***fetch-incidents*** executions.
- Added the *fetchRecords* parameter to fetch aggregate results (instead of messages).
- Updated the SumoLogic logo.
- __AWS - ACM__
Bugfix for Proxy/Insecure issues.
- __Atlassian Jira (v2)__
Added the _attachmentName_ parameter to the ___jira-issue-upload-file___ command, which sets the attachment name in Jira.
- __nmap__
Fixed an issue in nmap scans with the *-sn* flag.
- __Have I Been Pwned? V2__
Added batch support for domain and email commands.
- __Cofense Triage__
Fixed an issue with the test module.

4 Deprecated Integrations
- __ExtraHop__
We recommend using the ExtraHop Reveal(x) integration instead.
- __Azure Compute__
Deprecated.
- __Azure Security Center__
Deprecated.
- __AlienVault OTX__
We recommend using the AlienVault OTX v2 integration instead.

---
Scripts

2 New Scripts
- __SetIfEmpty__
Checks an object for an empty value and returns a preset default value.
- __ExtractFQDNFromUrlAndEmail__
Extracts FQDNs from URLs and emails.

7 Improved Scripts
- __PositiveDetectionsVSDetectionEngines__
- Displays a bar chart of the number of Positive Detections out of overall detections. Tagged as dynamic-indicator-section.
- Fixed an issue that made zero-values return wrong results.
- __CommonServerPython__
BaseClient now uses the session function to maintain an open session with the server.
- __FilterByList__
Added the option to search for an exact match.
- __ExtractDomainFromUrlAndEmail__
Added support to identify URLs and domains prefixed with *http:* or *http:\\*.
- __UnEscapeURLs__
Added support to identify URLs and domains prefixed with *http:* or *http:\\*.
- __StixParser__
You can now parse single-object STIX 2 files.
- __SumList__
- Fixed an issue with handling input as a comma-separated string.
- Added support for floating numbers.

---
Playbooks

11 New Playbooks
- __Access Investigation - Generic - NIST__
Investigates an access incident by gathering user and IP information, and handling the incident based on the stages in "Handling an incident - Computer Security Incident Handling Guide" by NIST.
- __PAN-OS - Block Domain - External Dynamic List__
Blocks domains using Palo Alto Networks Panorama or Firewall External Dynamic Lists.
- __Convert file hash to corresponding hashes__
Enables you to get all of the corresponding file hashes for a file even if there is only one hash type available.
- __Tanium - Get Saved Question Result__
Uses generic polling to get saved question results.
- __Endpoint Malware Investigation - Generic__
This playbook is triggered by a malware incident from an **Endpoint** type integration. The playbook performs enrichment, detonation, and hunting within the organization, and remediation on the malware.
- __NIST - Handling an Incident Template__
This playbook contains the phases to handling an incident as described in the *Handling an Incident* section of NIST - Computer Security Incident Handling Guide.
- __Prisma Cloud Remediation - AWS IAM Password Policy Misconfiguration__
Remediates Prisma Cloud AWS IAM password policy alerts.
- __Prisma Cloud Remediation - AWS IAM Policy Misconfiguration__
Remediates Prisma Cloud AWS IAM policy alerts.
- __NIST - Lessons Learned__
This playbook assists in processing an incident after it occurs and facilitates the lessons learned stage.
- __FireEye Helix Archive Search__
Creates an archive search in FireEye Helix, and fetches the results as events.
- __Tanium - Ask Question__
Uses generic polling to get question results.

6 Improved Playbooks
- __Impossible Traveler__
The countries from which the user logged in are now saved in incident fields and are displayed in the layout.
- __Isolate Endpoint - Generic__
Added playbook outputs.
- __Panorama Query Logs__
Added the *ip* argument to the playbook.
- __Phishing - Core__
Fixed an issue where Rasterize would attempt to run even if inactive.
- __Traps Isolate Endpoint__
Added playbook outputs.
- __Extract Indicators From File - Generic v2__
Extracts indicators from a file.

---
Widgets

Improved Widget
- __Page Break Widget__
Fixed an issue in the page break widget for PDF and DOC reports.

---
Incident Fields
- __Threat Actor__
The threat actor.
- __Host Name__
The host name.
- __Previous Country__
The country from which the user previously logged in.
- __NIST Stage__
The investigation's current NIST stage.
- Associated to Malware incident type.
- Associated the field with the Impossible Traveler event type.

---
Incident Layouts

New Incident Layout
- __Malware - Summary__
Added a layout for the **Malware** incident type. Requires Demisto v5.0.

Improved Incident Layout
- __Impossible Traveler - Summary__
Added a layout for the **Impossible Traveler** incident type.

---
Classification & Mapping

New Classification & Mapping
- __Microsoft Graph Mail Single User__
Added a classifier for the Microsoft Graph Mail Single User integration.

---
Reputations
- Added support to identify URLs and domains prefixed with *http:* or *http:\\*.
- Added support for FQDN extraction as a domain indicator type.