Demisto Content Release Notes for version 19.9.1 (29841)
Published on 18 September 2019
Integrations
4 New Integrations
- __ThreatQ v2__
Use the ThreatQ v2 integration to manage indicator scoring, types, and attributes.
- __Elasticsearch v2__
Use the Elasticsearch v2 integration to query and search indexes using the Lucene syntax. Supports Elasticsearch version 6 and later.
- __Shodan v2__
A search engine used for searching Internet-connected devices.
- __AttackIQ FireDrill__
An attack simulation platform that provides validations for security controls, responses, and remediation exercises.
25 Improved Integrations
- __IBM QRadar__
- The *note_id* argument is now optional in the ***qradar-get-note*** command. If the *note_id* argument is not specified, the command will return all notes for the the offense.
- Fixed an issue when closing an offense with the ***qradar-update-offense*** command, in which a user would specify a close reason, but an error was returned specifying that there was no close reason.
- __Whois__
- Updated the integration documentation to reflect capabilities of the Whois integration.
- Added context outputs to match context standards, which enables outputs to be found for field mapping.
- __AlienVault USM Anywhere__
- Improved implementation of the fetch incidents function.
- Improved integration documentation.
- Added the *Fetch limit* and *Time format* parameters to the instance configuration.
- __VirusTotal - Private API__
Added context outputs to match context standards, which enables outputs to be found for field mapping.
- __EWS v2__
Improved handling of uploaded EML files.
- __SentinelOne V2__
- Fixed an issue in the **Fetch incidents** function.
- Fixed date parameters in the ***sentinelone-get-threats*** command.
- Added the ***fetch_limit*** parameter, which specifies the maximum number of incidents to fetch.
- __Palo Alto Networks Minemeld__
- Improved error handling for API errors.
- Changed the name of the proxy parameter from *Use system proxy* to *Use system proxy settings*.
- __IntSights__
Improved the error message in cases where the URL address is incorrect.
- __Cuckoo Sandbox__
You can now enter an array of IDs for the ***cuckoo-view-task*** command.
- __EWS Mail Sender__
Improved logging implementation.
- __GitHub__
Added 14 commands.
- ***GitHub-get-stale-prs***
- ***GitHub-get-branch***
- ***GitHub-create-branch***
- ***GitHub-delete-branch***
- ***GitHub-list-teams***
- ***GitHub-get-team-membership***
- ***GitHub-request-review***
- ***GitHub-create-comment***
- ***GitHub-list-issue-comments***
- ***GitHub-list-pr-files***
- ***GitHub-list-pr-reviews***
- ***GitHub-get-commit***
- ***GitHub-add-label***
- ***GitHub-get-pull-request***
- __Cybereason__
Fixed the *Filters* argument in the ***cybereason-query-malops*** command.
- __Hybrid Analysis__
- Added calculation for DbotScore.
- Added 4 new commands.
- ***hybrid-analysis-quick-scan-url***
- ***hybrid-analysis-quick-scan-url-results***
- ***hybrid-analysis-submit-url***
- ***hybrid-analysis-list-scanners***
- Added the *malicious_threat_levels* argument to the ***hybrid-analysis-scan*** command.
- Added the *min_malicious_scanners* argument to the ***hybrid-analysis-search*** command.
- Updated outputs in the ***hybrid-analysis-scan*** command.
- __Gmail__
- Added 7 commands.
- ***gmail-hide-user-in-directory***
- ***gmail-set-password***
- ***gmail-get-autoreply***
- ***gmail-set-autoreply***
- ***gmail-delegate-user-mailbox***
- ***gmail-remove-delegated-mailbox***
- ***send-mail***
- Fixed an issue where in some cases, emails from different timezones did not create incidents. This might cause duplicate incidents shortly after upgrading.
- __Palo Alto Networks AutoFocus V2__
Added several arguments to the ***autofocus-samples-search*** and ***autofocus-sessions-search*** commands.
- *file_hash*.
- *domain*.
- *ip*.
- *url*.
- *wildfire_verdict*.
- *first_seen*.
- *last_updated*.
- __Cylance Protect v2__
Added the *batch_size* argument to the ***cylance-protect-delete-devices*** command, which specifies the number of devices to delete per request (batch).
- __Palo Alto Networks PAN-OS__
- Added the *tag* argument to several commands.
- List commands - filter by a tag.
- Create and edit commands.
- Added the context output Tags to all list, create, edit, and get commands.
- Added support in the ***panorama-query-logs*** command to supply a list of arguments, which are separated using the "OR" operator.
- Improved error messaging when trying to configure a *device-group* that does not exist.
- __Palo Alto Networks WildFire v2__
- Fixed an issue in which the ***wildfire-report*** command failed for specific hash values.
- Fixed an issue in which the ***wildfire-report*** command failed when issuing it for an in-progress analysis.
- __Microsoft Teams__
- Added verification for the authorization header signature.
- Added support for HTTPS.
- __Active Directory Query v2__
- Fixed an issue in the ***custom-field-data*** argument.
- Fixed an issue in the ***ad-create-contact*** command.
- Improved description of the ***filter*** argument in the ***ad-search*** command.
- Fixed the example value description for the ***custom-attribute*** argument in the ***ad-create-user*** and ***ad-create-contact*** commands.
- __urlscan.io__
- Added support for the _Verdict_ result from the urlscan.io API.
- Default privacy setting is now customizable, which enables submissions to be public or private (globally).
- __ThreatConnect__
Added 8 new commands.
- ***tc-get-group***
- ***tc-get-group-attributes***
- ***tc-get-group-security-labels***
- ***tc-get-group-tags***
- ***tc-download-document***
- ***tc-get-group-indicators***
- ***tc-get-associated-groups***
- ***tc-associate-group-to-group***
- __Slack v2__
Added support for multi-line JSON when creating an incident in a direct message.
- __DUO Admin__
Fixed an issue in the ***duoadmin-get-authentication-logs-by-user*** command.
- __Carbon Black Enterprise Protection V2__
Fixed an issue with the ***fetch-incidents*** command where users received an error when there were no incidents to fetch.
---
Scripts
New Script
- __PadZeros__
Adds zeros (0) to the beginning of the string, until the string reaches the specified length.
6 Improved Scripts
- __IdentifyAttachedEmail__
Fixed an issue where in some cases output was not set to the context.
- __HTMLDocsAutomation__
- Added the *permissions* argument with the following options:
- **per-command** - the permissions entry will be displayed in every command section.
- ***global*** - the permissions entry will be displayed once, in its own section.
- ***none*** - if there are no permissions required for this integration, there will be no permissions section.
- Added a comment with an HTML example showing how to manually add an image to each command HTML section.
- Fixed an issue in the arguments descriptions.
- __SlackAsk__
Added support for users to reply within a thread to messages sent from the Demisto integration.
- __FindSimilarIncidents__
Added support for list values in context keys and incident fields.
- __CommonServerPython__
Added the ***parse_date_string*** function, which parses the date string to a datetime object.
- __ParseEmailFiles__
Removed the hyperlink from links.
---
Playbooks
16 New Playbooks
- __PAN-OS - Block IP - Custom Block Rule__
- This playbook blocks IP addresses using Custom Block Rules in Palo Alto Networks Panorama or Firewall.
- The playbook receives malicious IP addresses as inputs, creates a custom bi-directional rule to block them, and commits the configuration.
- __Calculate Severity By Email Authenticity__
Calculates a severity according to the verdict coming from the CheckEmailAuthenticity script.
- __PAN-OS Log Forwarding Setup And Configuration__
This playbook sets up and maintains log forwarding for the Panorama rulebase. It can be run when setting up a new instance, or as a periodic job to enforce log forwarding policy.\nYou can either update all rules and override previous profiles, or update only rules that do not have a log forwarding profile configured.
- __Prisma Cloud Remediation - AWS CloudTrail is not Enabled on the Account__
AWS Cloudtrail is a service which provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. To remediate Prisma Cloud Alert "CloudTrail is not enabled on the account", this playbook creates an S3 bucket to host Cloudtrail logs and enable Cloudtrail (includes all region events and global service events).
- __Calculate Severity By Highest DBotScore__
Calculates the incident severity level according to the highest indicator DBotScore.
- __Calculate Severity - Generic v2__
Calculate and assign the incident severity based on the highest returned severity level from the following calculations:
- DBotScores of indicators.
- Critical assets.
- Email authenticity.
- Current incident severity.
- __Calculate Severity - Standard__
Calculates and sets the incident severity based on the combination of the current incident severity, and the severity returned from the Evaluate Severity - Set By Highest DBotScore playbook.
- __Cortex XDR Incident Handling__
- This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident.
- The playbook syncs and updates new XDR alerts that construct the incident. It enriches indicators using Threat Intelligence integrations and Palo Alto Networks AutoFocus. The incident's severity is then updated based on the indicators reputation and an analyst is assigned for manual investigation. If chosen, automated remediation with Palo Alto Networks FireWall is initiated. After a manual review by the SOC analyst, the XDR incident is closed automatically.
- ***Note*** - The XDRSyncScript used by this playbook sets data in the XDR incident fields that were released to content from the Demisto server version 5.0.0.
- For Demisto versions under 5.0.0, please follow the 'Palo Alto Networks Cortex XDR' documentation to upload the new fields manually.
- __Block IP - Generic v2__
- This playbook blocks malicious IPs using all integrations that are enabled. The playbook supports the following integrations.
- Check Point Firewall
- Palo Alto Networks MineMeld
- Palo Alto Networks PAN-OS
- Zscaler
- __PAN-OS - Block URL - Custom URL Category__
- This playbook blocks URLs using Palo Alto Networks Panorama or Firewall through Custom URL Categories.
- The playbook checks whether the input URL category already exists, and if the URLs are a part of this category. Otherwise, it will create the category, block the URLs, and commit the configuration.
- __Calculate Severity - Critical Assets v2__
- Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of "Critical" if at least one critical asset is associated with the investigation.
- Critical assets refer to: users, user groups, endpoints and endpoint groups.
- __Phishing Investigation - Generic v2__
- Use this playbook to investigate and remediate a potential phishing incident. The playbook simultaneously engages with the user that triggered the incident, while investigating the incident itself.
- The final remediation tasks are always decided by a human analyst.
- __Hybrid-analysis quick-scan__
Use this playbook to run the ***quick-scan*** command with generic-polling.
- __PAN-OS - Block IP and URL - External Dynamic List__
- This playbook blocks IP addresses and URLs using Palo Alto Networks Panorama or Firewall External Dynamic Lists.
- It checks if the EDL configuration is in place with the 'PAN-OS EDL Setup' sub-playbook (otherwise the list will be configured), and adds the input IP addresses and URLs to the relevant lists.
- __Palo Alto Networks - Malware Remediation__
This Playbook performs malicious IOC remediation using Palo Alto Networks integrations.
- __PAN-OS - Block IP - Static Address Group__
- This playbook blocks IP addresses using Static Address Groups in Palo Alto Networks Panorama or Firewall.
- The playbook receives malicious IP addresses and an address group name as inputs, verifies that the addresses are not already a part of the address group, and adds them and commits the configuration.
- ***Note*** - The playbook does not block the address group communication using a policy block rule. This step will be taken once outside of the playbook.
5 Improved Playbooks
- __Phishing Investigation - Generic v2__
- Improved the **Calculate Severity - Generic v2** playbook to evaluate more accurately the severity of an incident.
- Added a check for email authenticity using SPF, DKIM and DMARC. The verdict will also appear on the summary page of phishing incidents.
- __Block URL - Generic__
- Added section headers.
- Added two sub-playbooks.
- **PAN-OS - Block URL - Custom URL Category**.
- **PAN-OS - Block IP and URL - External Dynamic List**.
- __Block IP - Generic__
- Added section headers.
- Fixed an issue with implementation of the ZScaler integration.
- __Block Indicators - Generic__
Added the sub-playbook **Block IP - Generic v2**.
- __PAN-OS Commit Configuration__
Improved names and the layout.
---
Incident Fields
New Incident Field
- __Email Authenticity Check__
Indicates the authenticity of the email, which is determined by using the CheckEmailAuthenticity script.