Demisto Content Release Notes for version 19.12.1 (36874)
Published on 25 December 2019
Integrations
9 New Integrations
- __Microsoft Graph Calendar__
Use the Microsoft Graph Calendar integration to create and manage different calendars and events according to your requirements.
- __Lockpath KeyLight v2__
Use the LockPath KeyLight integration to manage GRC tickets in the Keylight platform.
- __Flashpoint__
Use the Flashpoint integration to reduce business risk.
- __Infoblox__
Use the Infoblox integration to to receive metadata about IPs in your network, and manage the DNS Firewall by configuring RPZs.
- __PhishLabs IOC DRP__
Use the PhishLabs IOC DRP integration to retrieve live feeds of Digital Risk Protection from PhishLabs.
- __McAfee DXL__
Use the McAfee DXL integration to enable different products to communicate via a standard API.
- __SecBI__
Use the SecBI integration, a threat, intelligence, and investigation platform, to enable automation of detection and investigation, including remediation and prevention policy, the enforcements on all integrated appliances.
- __Akamai WAF SIEM__
Use the Akamai WAF SIEM integration to retrieve security events from Akamai Web Application Firewall (WAF) service.
- __OpenLDAP (Beta)__
Use the OpenLDAP (Beta) integration to authenticate using Open LDAP.
27 Improved Integrations
- __Palo Alto Networks Cortex__
Fixed an issue with the fetch incidents function in which failed jobs raised an exception.
- __Microsoft Graph User__
Added content-version and content-name headers to Oproxy request.
- __Microsoft Graph Mail__
Added content-version and content-name headers to Oproxy request.
- __Cofense Triage__
Fixed an issue with test module.
- __Joe Security__
Fixed an issue in the ***joe-analysis-submit-sample*** command where the system field output returned duplicates.
- __Microsoft Graph Groups__
Added content-version and content-name headers to Oproxy request.
- __IBM QRadar__
Fixed an issue in which the ***qradar-get-assets*** command failed when a user supplied a value for the *fields* parameter.
- __LogRhythm__
The ***lr-execute-query*** command now works as expected.
- __PhishLabs IOC EIR__
- Added the *period* argument to the ***phishlabs-ioc-eir-get-incidents*** command, which defines the time range for which to return incidents.
- Improved implementation of the fetch incidents functionality.
- Improved the integration documentation.
- Changed the display name to **PhishLabs IOC EIR**.
- __Palo Alto Networks AutoFocus V2__
Added 4 reputation commands.
- ***ip***
- ***domain***
- ***file***
- ***url***
- __SplunkPy__
Enhanced the execution speed of the ***splunk-search*** command.
- __Azure Security Center v2__
Added content-version and content-name headers to Oproxy request.
- __Carbon Black Enterprise Live Response__
- Deprecated the ***cb-memdeump*** command. Use the ***cb-memdump*** command instead.
- Fixed an issue where the ***cb-memdeump*** did not initiate a memory dump on the server endpoint.
- __Azure Compute v2__
Added content-version and content-name headers to Oproxy request.
- __Mimecast__
- Added 9 commands.
- ***mimecast-find-groups***
- ***mimecast-get-group-members***
- ***mimecast-add-group-member***
- ***mimecast-remove-group-member***
- ***mmimecast-create-group***
- ***mimecast-update-group***
- ***mimecast-create-remediation-incident***
- ***mimecast-get-remediation-incident***
- ***mimecast-search-file-hash***
- Fixed an issue with instance SSL configuration.
- __IntSights__
Fixed an issue with the *is-hidden* and the *rate* arguments in the ***intsights-close-alert*** command.
- __Tanium v2__
Fixed an issue where the ***tn-get-question-result*** command returned empty results.
- __RSA Archer__
Fixed an issue where reports generated from the **GenerateInvestigationReport** script failed to upload to RSA Archer.
- __Active Directory Query v2__
Fixed a typo in the name of the **custom-field-data** argument.
- __Gmail__
- Added a new command.
- ***gmail-get-role***
- Improved the outputs for the following commands.
- ***gmail-get-user-roles***
- ***gmail-list-filters***
- ***gmail-add-filter***
- __EWS v2__
Fixed an issue where threads did not close after executing commands.
- __EWS Mail Sender__
Improved performance and functionality.
- __Microsoft Graph Security__
Added content-version and content-name headers to Oproxy request.
- __RSA NetWitness v11.1__
Fixed an issue where the environment proxy affected the integration, when no proxy should be used.
- __CrowdStrike Falcon__
- Added the following real-time response API commands.
- ***cs-falcon-run-command***
- ***cs-falcon-upload-script***
- ***cs-falcon-get-script***
- ***cs-falcon-delete-script***
- ***cs-falcon-list-scripts***
- ***cs-falcon-upload-file***
- ***cs-falcon-delete-file***
- ***cs-falcon-get-file***
- ***cs-falcon-list-files***
- ***cs-falcon-run-script***
- Added the *email* argument to the ***cs-falcon-resolve-detection*** command, which can be used instead of the *ids* argument.
- __Rasterize__
Fixed an issue with the ***rasterize*** command in which child processes were defunct.
- __Windows Defender Advanced Threat Protection__
Added content-version and content-name headers to Oproxy request.
2 Deprecated Integrations
- __Intezer__
Use the Intezer v2 integration instead.
- __Lockpath Keylight__
Use the Lockpath Keylight v2 integration instead.
---
Scripts
4 New Scripts
- __RegexExtractAll__
- Extracts all matches from a specified regular expression pattern from a provided string. Returns an array of results and
all matches of a specified pattern, not just specific groups. Useful for extraction, using a pattern where the content of the source string is indeterminate, such as extracting all email addresses. The 'regex' library is used and supports more advanced regex functionality than the standard 're' library.
- The following arguments have been added.
- The *convenience* argument, which enhances usability, multi-line, ignore_case, and period_matches_newline.
* The *error_if_no_match* argument. The script will not throw an error if a match is not found. If it does not use a transformer within a playbook, you might want to throw an error if the expression doesn't match.
- __GetMLModelEvaluation__
Finds a threshold for the ML model and performs an evaluation based on it.
- __PrettyPrint__
Pretty-print data using Python's pprint library. This is useful for seeing the structure of an incident and context data.
- __KeylightCreateIssue__
Use this script to simplify the process of creating or updating a record in Keylight v2.
11 Improved Scripts
- __IPv4Blacklist__
- Improved script implementation.
- Breaking changes: updated Docker image.
- __DBotPredictPhishingWords__
- Added support for text highlighting.
- Added support for minimum text-length argument.
- Added an argument, when there is prediction, not to return an error.
- __GetTime__
Fixed an issue where providing a date input from context returned the current date instead of the provided date.
- __IPv4Whitelist__
- Improved script implementation.
- Breaking changes: updated Docker image.
- __UnzipFile__
The file size (in bytes) is returned as expected.
- __SaneDocReports__
- Fixed an issue where the line chart x-axis was not readable.
- Fixed an issue with the graph width.
- __IsRFC1918Address__
- Improved script implementation.
- Breaking changes: updated the script Docker image.
- __IsNotInCidrRanges__
- Improved script implementation.
- Breaking changes: updated the script Docker image.
- __DBotTrainTextClassifierV2__
Added new evaluation methodology and metrics to the logic of the trained model.
- __IsInCidrRanges__
- Improved script implementation.
- Breaking changes: updated the script Docker image.
- __ParseEmailFiles__
Added handling for cases where an attachment has neither the *DisplayName* nor the *AttachFilename* properties.
---
Playbooks
5 New Playbooks
- __CVE Enrichment - Generic v2__
Performs CVE Enrichment using the following integrations.
- VulnDB
- CVE Search
- IBM X-Force Exchange
- __Active Directory - Get User Manager Details__
Takes an email address or a username of a user account in an Active Directory, and returns the email address of the user's manager.
- __PANW - Hunting and threat detection by indicator type__
This is a multipurpose playbook used for hunting and threat detection. The playbook receives inputs based on file hashes, IP addresses, or domain names provided manually or taken from outputs of other playbooks.
- __Block IOCs from CSV - External Dynamic List__
Parses a CSV file with IOCs and blocks them using Palo Alto Networks External Dynamic Lists.
- __QRadar Indicator Hunting__
Queries QRadar SIEM for indicators, such as file hashes, IP addresses, domains, and URLs.
14 Improved Playbooks
- __Endpoint Malware Investigation - Generic__
Added new playbook inputs.
- __Intezer - Analyze by hash__
Fixed an issue where the playbook finished before the analysis was completed.
- __PAN-OS - Block URL - Custom URL Category__
Added new playbook inputs.
- __DBot Create Phishing Classifier V2__
Updated evaluation metrics of the trained model.
- __Intezer - Analyze Uploaded file__
Fixed an issue where the playbook finished before the analysis was completed.
- __PAN-OS EDL Setup__
Rule position is no longer mandatory, the default position was changed to **Top**.
- __Palo Alto Networks - Endpoint Malware Investigation__
- Added the new sub-playbook **PANW - Hunting and threat detection by indicator type**.
- Added new playbook inputs.
- __PAN-OS - Block IP and URL - External Dynamic List__
- Fixed an issue with EDL refresh for Panorama.
- Added new playbook inputs.
- __PAN-OS - Create Or Edit Rule__
Rule position is no longer mandatory, and the default position was changed to **Bottom**.
- __PAN-OS DAG Configuration__
Rule position is no longer mandatory, and the default position was changed to **Top**.
- __Access Investigation - Generic - NIST__
- Fixed inputs for **IP Enrichment - Generic v2**.
- Removed the *Change severity* task.
- __Block IP - Generic v2__
Added playbook inputs to establish the PAN-OS remediation path.
- __Palo Alto Networks - Malware Remediation__
Added the new sub-playbook **PAN-OS - Block Domain - External Dynamic List**.
- __PAN-OS - Block Domain - External Dynamic List__
- Fixed an issue with EDL refresh for Panorama.
- Added new playbook inputs.