Demisto-py

Demisto Content Release Notes for version 19.11.0 (33434)
Published on 12 November 2019
Integrations

6 New Integrations
- __Vectra v2__
Automated attacker behavior analytics.
- __Google Key Management Service__
Use the Google Key Management Service API for CryptoKey management and encrypt/decrypt functionality.
- __ExtraHop Reveal(x)__
Network detection and response. Complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response.
- __SecurityAdvisor__
Contextual coaching and awareness for end users.
- __AlienVault OTX v2__
Query Indicators of Compromise in AlienVault OTX.
- __DomainTools Iris__
A threat, intelligence, and investigation platform for domain names, IP addresses Email addresses, Name Severs, and so on.

22 Improved Integrations
- __ArcSight Logger__
- Fixed an issue where date fields in search results were in epoch format instead of human readable format.
- Added a function to handle chart operations in the logger search.
- __SplunkPy__
Increased the maximum fetch limit for Splunk.
- __Qualys__
Improved implementation of the ***qualys-vm-scan-launch*** command.
- __Uptycs__
Fixed an issue where users could not set an asset tag with a key that already exists by adding a new column, ancestor_list, to the process_events table in osquery. This simplifies computing of the parent-child lineage of processes.
- __Netskope__
Added the ability to fetch alerts as incidents.
- __Kenna__
Improved inputs and outputs of the ***kenna-search-fixes*** command.
- __Red Canary__
Fixed an issue where non-Active Directory user names caused an "index out of range" exception.
- __Rasterize__
Added support for the *px* suffix in the _width_ and _height_ parameters.
- __Palo Alto Networks PAN-OS__
- Fixed an issue where the ***panorama-custom-block-rule*** command failed when trying to block an EDL or an address group object.
- Changed the *url* argument from **equals** to **contains** in the ***panorama-log-query*** command.
- Improved descriptions in the ***panorama-move-rule*** command.
- __EWS v2__
- Improved implementation of the ***ews-move-item-between-mailboxes*** command.
- The email body now prints to context and the War Room for the following commands:
- ***ews-get-items***
- ***ews-search-mailbox***
- __Mail Sender (New)__
- Added support for versions of *smtplib* that use stderr from sys.
- Fixed support for CRAM-MD5 authentication.
- __Palo Alto Networks PAN-OS EDL Management__
- Fixed an issue where the ***pan-os-edl-update*** command failed when the file path included space characters at *scp_execute()*.
- Fixed an issue where the *ssh_execute()* function failed when the file name included space characters.
- __Palo Alto Networks Cortex__
Fixed an issue with the Test module.
- __RSA Archer__
- Fixed an issue in the Archer fetch incidents offset.
- Fixed an issue in the fetched incidents details.
- Improved errors and added debug logs.
- __BeyondTrust Password Safe__
Fixed an issue where stored credentials were using a non-unique identifier.
- __ProtectWise__
- Fixed an issue where events were not fetched properly.
- Added the ability to limit the number of fetched incidents per fetch.
- Fixed outputs for the ***protectwise-event-info*** command.
- __urlscan.io__
Fixed a typo in an error message.
- __Elasticsearch v2__
Added support for timestamps.
- __RSA NetWitness v11.1__
- Added the *Fetch Limit* parameter.
- Fixed an issue where an unsupported timestamp format caused the integration to fail.
- __Palo Alto Networks AutoFocus V2__
Added descriptions to the ***autofocus-tag-details*** command.
- __Carbon Black Enterprise Response__
Added the *decompress* argument to the ***cb-binary-get*** command.
- __Kafka V2__
Updated the Docker image ***demisto/pykafka*** to version 1.0.0.3321 (requires Demisto 5.0).

---
Scripts

14 New Scripts
- __IPv4Blacklist__
Transformer that returns a filtered list of IPv4 addresses, based on whether they do not match a comma-separated list of IPv4 ranges. Useful for filtering out internal IP address space.
- __IsNotInCidrRanges__
Checks whether an IPv4 address is not contained in one or more comma-delimited CIDR ranges.
- __IPv4Whitelist__
Transformer that returns a filtered list of IPv4 addresses, based on whether they match a comma-separated list of IPv4 ranges. Useful for filtering in internal IP address space.
- __GetByIncidentId__
Gets a value from the specified incident's context.
- __IsInCidrRanges__
Determines whether an IPv4 address is contained in one or more comma-delimited CIDR ranges.
- __CalculateGeoDistance__
Computes the distance between two sets of coordinates, in miles.
- __IsRFC1918Address__
A filter that determines whether an IPv4 address is in the private RFC-1918 address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). For more information, see https://en.wikipedia.org/wiki/Private_network.
- __ExtraHopTrackIncidents__
Links an incident investigation back to the ExtraHop Detection that created it.
- __ProvidesCommand__
Determines which integrations implement a specific Demisto command. The results will be returned as comma-separated values (CSV). The "Demisto REST API" integration must first be enabled.
- __CalculateTimeDifference__
Calculate the time difference, in minutes.
- __DBotPreProcessTextData__
Pre-process text data for the machine learning text classifier.
- __DBotBuildPhishingClassifier__
Create a phishing classifier using machine learning technique, based on email content.
- __DBotTrainTextClassifierV2__
Train a machine learning text classifier.
- __GetIncidentsByQuery__
Gets a list of incident objects and the associated incident outputs that match the specified query and filters. The results are returned in a structured data file.

9 Improved Scripts
- __UnEscapeURLs__
Improved handling of Proofpoint v3 URLs.
- __SearchIncidents__
- Fixed the examples in command descriptions.
- __RegexGroups__
Updated the RegexGroups transformer to Python 3 in order to support special ASCII characters and additional error handling (requires Demisto 5.0).
- __SaneDocReports__
- Fixed table and list functions.
- Fixed an issue where trends have long floating point values.
- Fixed an issue where line charts with more than 40 columns were not readable.
- __CopyContextToField__
Added the ability to set the value of an incident field from the value of a context key. If the context key is a list, the first element of the list is taken as the value.
- __DeleteContext__
Added the **auto** option to the *subplaybook* argument. Use **auto** to delete either from the sub-playbook context (if the playbook is called as a sub-playbook) or from the global context (if the playbook is the master playbook).
- __CommonServerPython__
Fixed the IntegrationLogger auto-replace of sensitive strings.
- __HTMLDocsAutomation__
- Fixed an issue where commands in the top part were in the format **name:name** instead of **description:name**.
- Added links for the list of commands to each command.
- __XDRSyncScript__
Fixed an issue where the **XDRSyncScript** script executed the ***xdr-update-incident*** command even when required arguments were empty.

---
Playbooks

11 New Playbooks
- __ExtraHop - Ticket Tracking__
Links the Demisto incident back to the ExtraHop detection that created it for ticket tracking purposes. Documentation was provided by ExtraHop.
- __ExtraHop - Get Peers by Host__
Given a host, the playbook will retrieve the peer network devices that communicated with that host in a given time range. In addition to a list of peers and protocols (sorted by bytes) the playbook returns a link to the ExtraHop Live Activity Map to visualize the peer relationships.
- __Block Indicators - Generic v2__
This playbook blocks malicious Indicators using all integrations that are enabled, using several sub-playbooks.
- __Impossible Traveler__
This playbook investigates an event whereby a user has multiple application login attempts from various locations in a short time period (impossible traveler).
- __Indicator Pivoting - DomainTools Iris__
Pivots are used to gather data that share a common attribute with a domain. For instance, pivoting on an IP Address will give you back all domains related to that IP address.
- __ExtraHop - Default__
This is the default playbook to run for all ExtraHop Detection incidents, which handles ticket tracking and triggers specific playbooks based on the name of the ExtraHop Detection. Documentation was provided by ExtraHop.
- __Isolate Endpoint - Generic__
This playbook isolates a given endpoint.
- __Block File - Cybereason__
This playbook accepts an MD5 hash and blocks the file using the Cybereason integration.
- __Block File - Generic v2__
This playbook is used to block files from running on endpoints.
- __Block File - Cylance Protect v2__
This playbook accepts a SHA256 hash and adds the hash to the Global Quarantine list using the Cylance Protect v2 integration.
- __DBot Create Phishing Classifier V2__
Create a phishing classifier using machine learning technique, based on email content.
- __DBot Create Phishing Classifier V2 Job__
Train the phishing machine learning model. This playbook should be used as job, to run repeatedly, for example every week.

3 Improved Playbooks
- __Block IP - Generic v2__
Fixed output descriptions.
- __Endpoint Enrichment - Generic v2.1__
Added support for the ExtraHop Reveal(x) integration.
- __Phishing Investigation - Generic v2__
- Fixed an issue where the task that saves the email address of the reporter of the phishing email was disconnected from the previous task.
- Fixed an issue where the DT that was used to get the display name of the user who reported the email was invalid.

---
Widgets

New Widget
- __Page Break Widget__
Use the page break widget in a report to force a page break before the widgets that follow.

---
Incident Fields

19 New Incident Fields
- __Sign In Date Time__
The date and time when the second sign in of the user occurred, in ISO-8601 format.
- __Coordinates__
The coordinates of the location from which the user logged in.
- __Source IP__
The IP address from which the user initially logged in.
- __Raw Participants__
Raw list of participant objects associated with the ExtraHop Reveal(x) detection.
- __ExtraHop Hostname__
Hostname of the ExtraHop Reveal(x) that created the detection.
- __Risk Score__
Risk score associated with the ExtraHop Reveal(x) detection.
- __Previous Sign In Date Time__
The date and time when the first sign in of the user occurred, in ISO-8601 format.
- __Username__
The username of the account who logged in.
- __Detection ID__
ID of the ExtraHop Reveal(x) detection.
- __Destination IP__
The IP address to which the impossible traveler logged in.
- __Travel Map Link__
The link to a map that shows the travel path of the user.
- __Detection Update Time__
Timestamp of when the ExtraHop Reveal(x) detection was last updated.
- __Detection Ticketed__
Whether the incident is tracked to the corresponding detection in ExtraHop Reveal(x).
- __Previous Coordinates__
The coordinates of the location from which the user previously logged in.
- __Participants__
List of participant objects associated with the ExtraHop Reveal(x) detection.
- __Detection End Time__
Timestamp of when the ExtraHop Reveal(x) detection ended.
- __Previous Source IP__
The previous IP address from which the user logged in.
- __Detection URL__
URL of the ExtraHop Reveal(x) detection.
- __ExtraHop Appliance ID__
Appliance ID of the ExtraHop Reveal(x) that created the detection.

---
Incident Layouts

6 New Incident Layouts
- __ExtraHop Detection - Mobile__
Added a layout for the **ExtraHop Detection** incident type.
- __ExtraHop Detection - Close__
Added a layout for the **ExtraHop Detection** incident type.
- __ExtraHop Detection - New/Edit__
Added a layout for the **ExtraHop Detection** incident type.
- __ExtraHop Detection - Summary__
Added a layout for the **ExtraHop Detection** incident type.
- __Impossible Traveler - Summary__
Added a layout for the Impossible Traveler incident type.
- __ExtraHop Detection - Quick View__
Added a layout for the **ExtraHop Detection** incident type.

Demisto Content Release Notes for version 19.10.3 (32464)
Published on 31 October 2019

Major Fix
URLScan.io removed the Google Safe Browsing API from the API responses that they return. We updated our integration with URLScan.io to reflect their product changes.

Integrations

4 New Integrations
- __PolySwarm__
Real-time threat intelligence from a crowd-sourced network of security experts and anti-virus companies.
- __SlashNext Phishing Incident Response__
SlashNext Phishing Incident Response integration allows Demisto users to fully automate analysis of suspicious URLs.
- __Google Docs__
Use the Google Docs integration to create and modify Google Docs documents.
- __ARIA Packet Intelligence__
The ARIA Cybersecurity Solutions Software-Defined Security (SDS) platform integrates with Demisto to add robustness when responding to incidents.

19 Improved Integrations
- __urlscan.io__
- Fixed a breaking change in the API.
- Added support for batches.
- __AWS - IAM__
- Added the following commands.
- ***aws-iam-get-account-password-policy***
- ***aws-iam-update-account-password-policy***
- Added support for access keys, proxy environments, and trusting insecure connections.
- __Palo Alto Networks WildFire v2__
Fixed an issue in which testing the integration instance failed.
- __Palo Alto Networks PAN-OS__
Added the ***panorama-security-policy-match*** command.
- __Palo Alto Networks MineMeld__
Fixed lowercase hash types in the outputs.
- __Rasterize__
- Added the ___rasterize-pdf___ command, which converts a PDF file to an image file.
- The ___rasterize-email___ command is now available in offline mode.
- Added the _wait_time_ - parameter to the ___rasterize___ command and to the instance configuration, which sets the time to wait before taking a screen shot.
- __Palo Alto Networks Cortex__
- Added 4 new commands.
- ***cortex-query-traffic-logs***
- ***cortex-query-threat-logs***
- ***cortex-query-traps-logs***
- ***cortex-query-analytics-logs***
- __SentinelOne v2__
- Fixed an issue in the ***Fetch incidents*** function.
- Fixed an issue in the ***sentinelone-get-threats*** command.
- __EWS v2__
- Improved implementation of the ***ews-search-mailbox*** command.
- Added the ***ews-get-items-as-eml*** command.
- __RSA Archer__
Fixed the default field on which the search is performed.
- __SMIME Messaging__
Added the ***smime-sign-and-encrypt*** command.
- __Gmail__
- Added the *page-token* parameter to the ***gmail-list-users*** command, which returns further results.
- The ***gmail-search-all-mailboxes*** command now runs on all users.
- __SplunkPy__
- Improved handling of the *app context* parameter.
- Fixed handling of arrays when converting notable events to incidents.
- __IBM QRadar__
- Fixed an issue in which the ***fetch-incidents*** function failed while enriching fetched offenses with source and destination IP addresses.
- Fixed an issue in which the ***qradar-delete-reference-set-value*** command failed to delete reference sets with the "\\" character in their names.
- __Proofpoint TAP v2__
Fixed the **fetch-incidents** function when the *last_fetch* time range is greater than 1 hour.
- __Tenable.io__
Fixed the *raw-response* argument for all commands.
- __Mail Sender (New)__
- The integration ignores the FQDN configuration parameter if it is empty or contains only white spaces.
- Added the *raw_message* argument to the ***send-mail*** command.
- __Cloaken__
Added the ***cloaken-screenshot-url*** command.
- __GitHub__
- Improved implementation of the default value for the *fetch_time* parameter.
- Added 4 commands.
- ***GitHub-list-pr-review-comments***
- ***GitHub-update-pull-request***
- ***GitHub-is-pr-merged***
- ***GitHub-create-pull-request***

---
Scripts

5 New Scripts
- __LastArrayElement__
Returns the last element of an array. If the value passed is not an array, it returns the original value that was passed.
- __EmailDomainWhitelist__
Accepts an array of domains as a whitelist, and a list of email addresses. The script then filters out any email address whose domain is not in the whitelist. The filtered list will be returned as an array.
- __FirstArrayElement__
Returns the first element of an array. If the value passed is not an array, it returns the original value that was passed.
- __EmailDomainBlacklist__
Accepts an array of domains as a blacklist, and a list of email addresses. The script then filters out any email address whose domain is in the blacklist. The filtered list will be returned as an array.
- __ConvertFile__
Converts a file from one format to a different format by using the convert-to function of Libre Office.

5 Improved Scripts
- __XDRSyncScript__
The **XDRSyncScript** now works.
- __CheckEmailAuthenticity__
Updated the descriptions for arguments.
- __UnEscapeURLs__
Added handling of Proofpoint v3 URLs.
- __GetDockerImageLatestTag__
Fixed an issue where the script did not return the latest tag.
- __IsMaliciousIndicatorFound__
- Added the *includeManual* argument, which applies the manually assigned indicator severity to the indicator. This overrides the DBot score.
- When a user manually assigns a reputation to an indicator, the reputation is applied to all instances of the indicator regardless of the type.

---
Playbooks

7 New Playbooks
- __Phishing - Core__
Provides a basic response to phishing incidents. The playbook includes the following features:
- Calculates reputation for all indicators.
- Extracts indicators from email attachments.
- Calculates severity for the incident based on indicator reputation.
- Updates reporting user about investigation status.
- Allows manual remediation of the incident.
- __Get File Sample By Hash - Generic v2__
- This playbook returns a file sample correlating to a hash in the war-room using the following sub-playbooks:.
- Get File Sample By Hash - Carbon Black Enterprise Response.
- Get File Sample By Hash - Cylance Protect v2.
- __Retrieve File from Endpoint - Generic__
This playbook retrieves a file sample from an endpoint using the following playbooks:.
- Get File Sample From Path - Generic.
- Get File Sample By Hash - Generic v2.
- __Get File Sample By Hash - Cylance Protect v2__
This playbook returns a file sample to the War Room given the file's SHA256 hash, using Cylance Protect v2 integration.
- __PAN-OS - Create Or Edit Rule__
Creates or edits a Panorama rule and moves it to the desired position.
- __Prisma Cloud Remediation - AWS Inactive Users For More Than 30 Days__
Remediates Prisma Cloud Alert Inactive users for more than 30 days, this playbook deactivates the user by disabling the access keys (marking them as inactive) as well as resetting the user console password. To increase the security of your AWS account, it is recommended to find and remove IAM user credentials (passwords, access keys) that have not been used within a specified period of time.
- __Process Email - Core__
Add email details to the relevant context entities and handle the case where original emails are attached.

6 Improved Playbooks
- __PanoramaCommitConfiguration__
Improved descriptions and added emphasis on playbook deprecation.
- __Phishing Investigation - Generic v2__
Added a task to save the reporter email address in an incident field, so it can be displayed on the summary page.
- __Process Email - Generic__
- Fixed an issue where playbook did not populate the raw HTML field that is displayed in the phishing layout.
- The ___rasterize-email___ command is now available in offline mode.
- __PAN-OS EDL Setup__
- Added support for attaching the EDL to an existing rule.
- Added support for moving new rules to a required position in the rulebase.
- __PAN-OS DAG Configuration__
- Added support for attaching the DAG to an existing rule.
- Added support for moving new rules to a required position in the rulebase.
- __URL Enrichment - Generic v2__
Added a tag for URL screenshots, which can be used to distinguish between incident files and screenshots during the investigation stage.

---
Widgets

Improved Widget
- __Incident Severity by Type__
Incident types are now sorted by severity.

---
Incident Fields
- __Reporter Email Address__
The email address of the user who reported the email.
- __URL SSL Verification__
Indicates whether the URLs passed the SSL certificate verification.
- __Email Headers__
A list of all of the email headers.

---
Incident Layouts

Improved Incident Layout
- __Phishing - Summary__
Improved several widgets for the summary layout, including widget size and location.

Demisto Content Release Notes for version 19.10.2 (32261)
Published on 29 October 2019
Integrations

4 New Integrations
- __PolySwarm__
Real-time threat intelligence from a crowd-sourced network of security experts and anti-virus companies.
- __SlashNext Phishing Incident Response__
SlashNext Phishing Incident Response integration allows Demisto users to fully automate analysis of suspicious URLs.
- __Google Docs__
Use the Google Docs integration to create and modify Google Docs documents.
- __ARIA Packet Intelligence__
The ARIA Cybersecurity Solutions Software-Defined Security (SDS) platform integrates with Demisto to add robustness when responding to incidents.

18 Improved Integrations
- __AWS - IAM__
- Added the following commands.
- ***aws-iam-get-account-password-policy***
- ***aws-iam-update-account-password-policy***
- Added support for access keys, proxy environments, and trusting insecure connections.
- __Palo Alto Networks WildFire v2__
Fixed an issue in which testing the integration instance failed.
- __Palo Alto Networks PAN-OS__
Added the ***panorama-security-policy-match*** command.
- __Palo Alto Networks MineMeld__
Fixed lowercase hash types in the outputs.
- __Rasterize__
- Added the ___rasterize-pdf___ command, which converts a PDF file to an image file.
- The ___rasterize-email___ command is now available in offline mode.
- Added the _wait_time_ - parameter to the ___rasterize___ command and to the instance configuration, which sets the time to wait before taking a screen shot.
- __Palo Alto Networks Cortex__
- Added 4 new commands.
- ***cortex-query-traffic-logs***
- ***cortex-query-threat-logs***
- ***cortex-query-traps-logs***
- ***cortex-query-analytics-logs***
- __SentinelOne v2__
- Fixed an issue in the ***Fetch incidents*** function.
- Fixed an issue in the ***sentinelone-get-threats*** command.
- __EWS v2__
- Improved implementation of the ***ews-search-mailbox*** command.
- Added the ***ews-get-items-as-eml*** command.
- __RSA Archer__
Fixed the default field on which the search is performed.
- __SMIME Messaging__
Added the ***smime-sign-and-encrypt*** command.
- __Gmail__
- Added the *page-token* parameter to the ***gmail-list-users*** command, which returns further results.
- The ***gmail-search-all-mailboxes*** command now runs on all users.
- __SplunkPy__
- Improved handling of the *app context* parameter.
- Fixed handling of arrays when converting notable events to incidents.
- __IBM QRadar__
- Fixed an issue in which the ***fetch-incidents*** function failed while enriching fetched offenses with source and destination IP addresses.
- Fixed an issue in which the ***qradar-delete-reference-set-value*** command failed to delete reference sets with the "\\" character in their names.
- __Proofpoint TAP v2__
Fixed the **fetch-incidents** function when the *last_fetch* time range is greater than 1 hour.
- __Tenable.io__
Fixed the *raw-response* argument for all commands.
- __Mail Sender (New)__
- The integration ignores the FQDN configuration parameter if it is empty or contains only white spaces.
- Added the *raw_message* argument to the ***send-mail*** command.
- __Cloaken__
Added the ***cloaken-screenshot-url*** command.
- __GitHub__
- Improved implementation of the default value for the *fetch_time* parameter.
- Added 4 commands.
- ***GitHub-list-pr-review-comments***
- ***GitHub-update-pull-request***
- ***GitHub-is-pr-merged***
- ***GitHub-create-pull-request***

---
Scripts

5 New Scripts
- __LastArrayElement__
Returns the last element of an array. If the value passed is not an array, it returns the original value that was passed.
- __EmailDomainWhitelist__
Accepts an array of domains as a whitelist, and a list of email addresses. The script then filters out any email address whose domain is not in the whitelist. The filtered list will be returned as an array.
- __FirstArrayElement__
Returns the first element of an array. If the value passed is not an array, it returns the original value that was passed.
- __EmailDomainBlacklist__
Accepts an array of domains as a blacklist, and a list of email addresses. The script then filters out any email address whose domain is in the blacklist. The filtered list will be returned as an array.
- __ConvertFile__
Converts a file from one format to a different format by using the convert-to function of Libre Office.

5 Improved Scripts
- __XDRSyncScript__
The **XDRSyncScript** now works.
- __CheckEmailAuthenticity__
Updated the descriptions for arguments.
- __UnEscapeURLs__
Added handling of Proofpoint v3 URLs.
- __GetDockerImageLatestTag__
Fixed an issue where the script did not return the latest tag.
- __IsMaliciousIndicatorFound__
- Added the *includeManual* argument, which applies the manually assigned indicator severity to the indicator. This overrides the DBot score.
- When a user manually assigns a reputation to an indicator, the reputation is applied to all instances of the indicator regardless of the type.

---
Playbooks

7 New Playbooks
- __Phishing - Core__
Provides a basic response to phishing incidents. The playbook includes the following features:
- Calculates reputation for all indicators.
- Extracts indicators from email attachments.
- Calculates severity for the incident based on indicator reputation.
- Updates reporting user about investigation status.
- Allows manual remediation of the incident.
- __Get File Sample By Hash - Generic v2__
- This playbook returns a file sample correlating to a hash in the war-room using the following sub-playbooks:.
- Get File Sample By Hash - Carbon Black Enterprise Response.
- Get File Sample By Hash - Cylance Protect v2.
- __Retrieve File from Endpoint - Generic__
This playbook retrieves a file sample from an endpoint using the following playbooks:.
- Get File Sample From Path - Generic.
- Get File Sample By Hash - Generic v2.
- __Get File Sample By Hash - Cylance Protect v2__
This playbook returns a file sample to the War Room given the file's SHA256 hash, using Cylance Protect v2 integration.
- __PAN-OS - Create Or Edit Rule__
Creates or edits a Panorama rule and moves it to the desired position.
- __Prisma Cloud Remediation - AWS Inactive Users For More Than 30 Days__
Remediates Prisma Cloud Alert Inactive users for more than 30 days, this playbook deactivates the user by disabling the access keys (marking them as inactive) as well as resetting the user console password. To increase the security of your AWS account, it is recommended to find and remove IAM user credentials (passwords, access keys) that have not been used within a specified period of time.
- __Process Email - Core__
Add email details to the relevant context entities and handle the case where original emails are attached.

6 Improved Playbooks
- __PanoramaCommitConfiguration__
Improved descriptions and added emphasis on playbook deprecation.
- __Phishing Investigation - Generic v2__
Added a task to save the reporter email address in an incident field, so it can be displayed on the summary page.
- __Process Email - Generic__
- Fixed an issue where playbook did not populate the raw HTML field that is displayed in the phishing layout.
- The ___rasterize-email___ command is now available in offline mode.
- __PAN-OS EDL Setup__
- Added support for attaching the EDL to an existing rule.
- Added support for moving new rules to a required position in the rulebase.
- __PAN-OS DAG Configuration__
- Added support for attaching the DAG to an existing rule.
- Added support for moving new rules to a required position in the rulebase.
- __URL Enrichment - Generic v2__
Added a tag for URL screenshots, which can be used to distinguish between incident files and screenshots during the investigation stage.

---
Widgets

Improved Widget
- __Incident Severity by Type__
Incident types are now sorted by severity.

---
Incident Fields
- __Reporter Email Address__
The email address of the user who reported the email.
- __URL SSL Verification__
Indicates whether the URLs passed the SSL certificate verification.
- __Email Headers__
A list of all of the email headers.

---
Incident Layouts

Improved Incident Layout
- __Phishing - Summary__
Improved several widgets for the summary layout, including widget size and location.

Demisto Content Release Notes for version 19.10.1 (31209)
Published on 15 October 2019
*Notice*: Breaking Change
__SplunkPy__: This update adds the *app* parameter settings. After the update is complete, there is need to re-save existing instances of SplunkPy. Open the instance configuration, *Test* the instance and then save. The *app* parameter may be left empty.
Integrations

New Integration
- __SMIME Messaging__
Use the S/MIME (Secure Multipurpose Internet Mail Extensions) integration to send and receive secure MIME data.

14 Improved Integrations
- __Kafka v2__
- Added partitions to ***kafka-print-topic*** command outputs.
- Added a parameter to set the maximum number of messages to fetch.
- Improved debug logging outputs.
- Improved fetch incidents implementation (breaks backward compatibility).
- __Slack v2__
Added support for changing the display name and icon for the Demisto bot in Slack.
- __DUO Admin__
Proxy configuration now works as expected.
- __Palo Alto Networks Traps__
Updated the integration category to *Endpoint*.
- __Active Directory Query v2__
Added support for **debug-mode**, which logs extended information when enabled.
- __RSA Archer__
Added support for European timestamps.
- __Hybrid Analysis__
Fixed an issue where ***hybrid-analysis-search*** command returned an error without using the *query* argument.
- __Prisma Cloud (RedLock)__
- Updated the display name to: **Prisma Cloud (RedLock)**.
- Added the *Trust any certificate* configuration parameter.
- __Microsoft Graph Mail__
- Improved the description of the *search* argument in ***msgraph-mail-list-emails*** command.
- Fixed an issue where the ***msgraph-mail-delete-email*** command always returned an error.
- __ThreatQ v2__
Fixed results numbering for the following commands.
- ***threatq-get-all-adversaries***
- ***threatq-get-all-indicators***
- ***threatq-get-all-events***
- __Rasterize__
- Updated the integration to use Chrome driver instead of phantomJS (requires Demisto 5.0).
- Improved control over the window size of the output.
- __SplunkPy__
- Added the *app* parameter, which is the app context of the namespace.
- Improved the human readable output of the search command.
- __TruSTAR__
Fixed an issue where the ***trustar-search-indicator*** command returned an incorrect context output.
- __IntSights__
- Fixed an issue where indicators were not extracted correctly in ***intsight-get-iocs*** command.
- Improved implementation of the following commands:
- ***intsights-get-alert-image***
- ***intsights-get-alert-takedown-status***

---
Scripts

2 New Scripts
- __AwsEC2GetPublicSGRules__
Find Security Group rules which allow ::/0 (IPv4) or 0.0.0.0/0.
- __PopulateCriticalAssets__
Populates critical assets in a grid field that has the section headers **Asset Type** and **Asset Name**.

2 Improved Scripts
- __CommonServerPython__
- Added the ***is_debug_mode*** wrapper function, which checks if **debug-mode** is enabled.
- The ***return_outputs*** function can now return readable_output.
- __ExtractDomainFromUrlAndEmail__
Added support for URLs contains non-ASCII characters.

---
Playbooks

5 New Playbooks
- __Traps Quarantine Event__
This playbook accepts a file hash and quarantines the file using Traps.
- __Traps Blacklist File__
This playbook accepts a file SHA256 hash and adds it to a blacklist using the Traps integration.
- __Traps Isolate Endpoint__
This playbook accepts an endpoint ID from the Traps integration and isolates the endpoint.
- __Prisma Cloud Remediation - AWS Security Groups Allows Internet Traffic To TCP
Port__
This playbook extracts the TCP public Security Groups rule and provides manual/automatic options to have the rules revoked.
- __Palo Alto Networks - Endpoint Malware Investigation__
This playbook is triggered by a Palo Alto Networks Cortex threat alert, generated by Traps. The playbook performs host enrichment for the source host with Palo Alto Networks Traps, enriches information for the suspicious file with Palo Alto Networks MineMeld and AutoFocus, and automatically performs file detonation for the extracted file. It then performs IOC enrichment with MineMeld for all related IOCs, and calculates the incident severity based on all the findings.

3 Improved Playbooks
- __Calculate Severity - Critical Assets v2__
Added a task that sets all found critical assets to a new incident field.
- __Calculate Severity - Generic v2__
Fixed an issue where the current incident severity was not always taken into account.
- __Palo Alto Networks - Malware Remediation__
Added Traps remediation sub-playbooks.

---
Incident Fields
- __PID__
PID.
- __Blocked Action__
Blocked Action.
- __Subtype__
Subtype.
- __Infected Hosts__
Infected hosts found in the investigation.
- __Isolated__
Isolated.
- __Device Name__
Device Name.
- __Traps ID__
Traps event ID.
- __Agent ID__
Agent ID.
- __Malicious Behavior__
Malicious Behavior.
- __Quarantined__
Whether the indicator is quarantined or isolated.
- __Terminated Action__
Terminated Action.
- __Src OS__
Src OS.
- __Command Line__
Command Line.
- __File Size__
File Size.
- __Triggered Security Profile__
Triggered Security Profile.
- __Critical Assets__
A table of critical assets involved in the incident, including the name and asset type.
- __Parent Process ID__
Parent Process ID.

---
Incident Layouts
New Incident Layout
- __Traps - Summary__
New layout for Traps incident type.

2 Improved Incident Layouts
- __Phishing - Summary__
- Reorganized several elements of the layout.
- Added a field that displays the result for an email authenticity check.
- Added a field that displays email headers.
- Added a field that displays the email address of the user who reported the phishing email.
- Added a field that displays the email classification.
- Added a field that displays the phishing sub-type.
- Added a field that displays URL SSL verification results.
- Added a section that displays URL screenshots.
- Added a field that displays critical assets involved in the phishing incident.
- __Phishing - Summary__
Added a list of critical assets to the summary layout of phishing incidents.

---
Classification & Mapping

New Classification & Mapping
- __Palo Alto Networks Cortex__
New classifier for Palo Alto Networks Cortex integration for Traps incidents.

---
Reputations
- The regex now recognizes URL query syntax.
- Added support for non-English languages.
- Added support for asterisk, pipeline, and various dashes.

Demisto Content Release Notes for version 19.10.0 (30654)
Published on 02 October 2019
Integrations

3 New Integrations
- __BitDam__
Use the BitDam integration to submit files for analysis.
- __Palo Alto Networks Traps__
Use the Palo Alto Networks Traps integration to initiate scans, retrieve files from events, isolate endpoints, quarantine files, and manage the blacklist.
- __Exabeam__
Use the Exabeam Security Management Platform integration to get data and labels for users and to get data for watchlists.

15 Improved Integrations
- __ArcSight ESM v2__
Limited the incident fetch limit to 50 incidents per fetch.
- __Palo Alto Networks AutoFocus V2__
Improved handling of empty responses for the ***autofocus-samples-search*** and ***autofocus-sessions-search*** commands.
- __Have I Been Pwned? V2__
- Added handling for cases where the rate limit is exceeded.
- Added the *max_retry_time* integration parameter, which defines the maximum time per request.
- __AttackIQ Platform__
Changed the integration name from **AttackIQ FireDrill** to **AttackIQ Platform**.
- __BluecatAddressManager__
- Added the ***bluecat-am-get-range-by-ip*** command.
- Improved handling of cases in which an error is returned from querying a non-existing IP address.
- __Microsoft Teams__
- Added support for single port mapping.
- Added the ***microsoft-teams-integration-health*** command.
- __OnboardingIntegration__
Fixed an issue where incidents weren't fetched when the *frequency* parameter was set.
- __Shodan v2__
Added display name clarification.
- __Slack v2__
Added support for sending blocks (graphical attachments) in messages. For more information see the integration documentation.
- __SplunkPy__
Added the *Earliest time to fetch* and *Latest time to fetch* parameters, which are the names of the Splunk fields whose value defines the query's earliest and latest time to fetch.
- __PagerDuty v2__
Added new arguments to the ***PagerDuty-get-users-on-call-now*** command.
- *escalation_policy_ids*
- *schedule_ids*
- __Windows Defender Advanced Threat Protection__
Fixed an issue in the ***fetch incidents*** functionality.
- __Snowflake__
Fixed an issue in the ***fetch incidents*** functionality.
- __SentinelOne V2__
- Fixed an issue with the ***sentinelone-disconnect-agent*** command.
- Fixed human-readable output in the ***sentinelone-get-threat*** command in cases where the content_hash does not exist.
- __Recorded Future__
Added the *Suspicious Threshold* parameter.

---
Scripts

New Script
- __PanwIndicatorCreateQueries__
The script accepts indicators as input and creates an indicator query in the relevant Palo Alto Networks products.

6 Improved Scripts
- __FilterByList__
Regular expressions (regex) now work as expected.
- __ParseEmailFiles__
Improved handling for smime signed file attachments in MSG emails.
- __CheckEmailAuthenticity__
Fixed an issue that prevented playbooks from using this script.
- __CommonServerPython__
- Added requests debugging logger when *debug-mode=true*.
- Added the ***BaseClient*** and ***DemistoException*** objects.
- Added the ***build_dbot_entry*** and ***build_malicious_dbot_entry*** functions.
- Added spaces between cells for ***tableToMarkdown*** function output, to prevent auto-extract over multiple cells.
- __SlackAsk__
Added support for users to reply to messages received from the Demisto integration using buttons. For more information see the integration documentation.
- __SaneDocReports__
- Fixed several issues related to tables in reports generated as DOCX files.
- Generating the new investigation layout in a report as a DOCX file works as expected.

---
Playbooks

2 New Playbooks
- __AutoFocusPolling__
Use this playbook as a sub-playbook to query the Palo Alto Networks AutoFocus threat intelligence system. This sub-playbook is the same as the generic polling sub-playbook except that it provides outputs in the playbook. The reason for that is that in AutoFocus it is not possible to query the results of the same query more than once, so the outputs have to be in the polling context.
- __Autofocus Query Samples, Sessions and Tags__
Use this playbook to query the PANW threat intelligence AutoFocus system. The playbook accepts indicators such as IPs, hashes, and domains to run basic queries or model advanced queries that can leverage several query parameters. We recommend that you create advanced queries using the AutoFocus UI https://autofocus.paloaltonetworks.com/#/dashboard/organization to created a query and then use the export search button. The result can be used as a playbook input.


3 Improved Playbooks
- __Panorama Query Logs__
Fixed an issue in the ***Panorama Query logs*** playbook.
- __Cortex XDR Incident Handling__
The ***Is AutoFocus Enabled?*** task now checks for the **AutoFocus v2** integration.
- __Phishing Investigation - Generic v2__
Fixed an issue where the email authenticity check task failed to find the relevant script.

---
Incident Layouts

New Incident Layout
- __GDPR Data Breach - Summary__
Added a new layout for the **GDPR Data Breach** incident type.

Improved Incident Layout
- __Phishing - Summary__
Added email authenticity check to phishing incident layout (summary page).

Demisto Content Release Notes for version 19.9.1 (29841)
Published on 18 September 2019
Integrations

4 New Integrations
- __ThreatQ v2__
Use the ThreatQ v2 integration to manage indicator scoring, types, and attributes.
- __Elasticsearch v2__
Use the Elasticsearch v2 integration to query and search indexes using the Lucene syntax. Supports Elasticsearch version 6 and later.
- __Shodan v2__
A search engine used for searching Internet-connected devices.
- __AttackIQ FireDrill__
An attack simulation platform that provides validations for security controls, responses, and remediation exercises.

25 Improved Integrations
- __IBM QRadar__
- The *note_id* argument is now optional in the ***qradar-get-note*** command. If the *note_id* argument is not specified, the command will return all notes for the the offense.
- Fixed an issue when closing an offense with the ***qradar-update-offense*** command, in which a user would specify a close reason, but an error was returned specifying that there was no close reason.
- __Whois__
- Updated the integration documentation to reflect capabilities of the Whois integration.
- Added context outputs to match context standards, which enables outputs to be found for field mapping.
- __AlienVault USM Anywhere__
- Improved implementation of the fetch incidents function.
- Improved integration documentation.
- Added the *Fetch limit* and *Time format* parameters to the instance configuration.
- __VirusTotal - Private API__
Added context outputs to match context standards, which enables outputs to be found for field mapping.
- __EWS v2__
Improved handling of uploaded EML files.
- __SentinelOne V2__
- Fixed an issue in the **Fetch incidents** function.
- Fixed date parameters in the ***sentinelone-get-threats*** command.
- Added the ***fetch_limit*** parameter, which specifies the maximum number of incidents to fetch.
- __Palo Alto Networks Minemeld__
- Improved error handling for API errors.
- Changed the name of the proxy parameter from *Use system proxy* to *Use system proxy settings*.
- __IntSights__
Improved the error message in cases where the URL address is incorrect.
- __Cuckoo Sandbox__
You can now enter an array of IDs for the ***cuckoo-view-task*** command.
- __EWS Mail Sender__
Improved logging implementation.
- __GitHub__
Added 14 commands.
- ***GitHub-get-stale-prs***
- ***GitHub-get-branch***
- ***GitHub-create-branch***
- ***GitHub-delete-branch***
- ***GitHub-list-teams***
- ***GitHub-get-team-membership***
- ***GitHub-request-review***
- ***GitHub-create-comment***
- ***GitHub-list-issue-comments***
- ***GitHub-list-pr-files***
- ***GitHub-list-pr-reviews***
- ***GitHub-get-commit***
- ***GitHub-add-label***
- ***GitHub-get-pull-request***
- __Cybereason__
Fixed the *Filters* argument in the ***cybereason-query-malops*** command.
- __Hybrid Analysis__
- Added calculation for DbotScore.
- Added 4 new commands.
- ***hybrid-analysis-quick-scan-url***
- ***hybrid-analysis-quick-scan-url-results***
- ***hybrid-analysis-submit-url***
- ***hybrid-analysis-list-scanners***
- Added the *malicious_threat_levels* argument to the ***hybrid-analysis-scan*** command.
- Added the *min_malicious_scanners* argument to the ***hybrid-analysis-search*** command.
- Updated outputs in the ***hybrid-analysis-scan*** command.
- __Gmail__
- Added 7 commands.
- ***gmail-hide-user-in-directory***
- ***gmail-set-password***
- ***gmail-get-autoreply***
- ***gmail-set-autoreply***
- ***gmail-delegate-user-mailbox***
- ***gmail-remove-delegated-mailbox***
- ***send-mail***
- Fixed an issue where in some cases, emails from different timezones did not create incidents. This might cause duplicate incidents shortly after upgrading.
- __Palo Alto Networks AutoFocus V2__
Added several arguments to the ***autofocus-samples-search*** and ***autofocus-sessions-search*** commands.
- *file_hash*.
- *domain*.
- *ip*.
- *url*.
- *wildfire_verdict*.
- *first_seen*.
- *last_updated*.
- __Cylance Protect v2__
Added the *batch_size* argument to the ***cylance-protect-delete-devices*** command, which specifies the number of devices to delete per request (batch).
- __Palo Alto Networks PAN-OS__
- Added the *tag* argument to several commands.
- List commands - filter by a tag.
- Create and edit commands.
- Added the context output Tags to all list, create, edit, and get commands.
- Added support in the ***panorama-query-logs*** command to supply a list of arguments, which are separated using the "OR" operator.
- Improved error messaging when trying to configure a *device-group* that does not exist.
- __Palo Alto Networks WildFire v2__
- Fixed an issue in which the ***wildfire-report*** command failed for specific hash values.
- Fixed an issue in which the ***wildfire-report*** command failed when issuing it for an in-progress analysis.
- __Microsoft Teams__
- Added verification for the authorization header signature.
- Added support for HTTPS.
- __Active Directory Query v2__
- Fixed an issue in the ***custom-field-data*** argument.
- Fixed an issue in the ***ad-create-contact*** command.
- Improved description of the ***filter*** argument in the ***ad-search*** command.
- Fixed the example value description for the ***custom-attribute*** argument in the ***ad-create-user*** and ***ad-create-contact*** commands.
- __urlscan.io__
- Added support for the _Verdict_ result from the urlscan.io API.
- Default privacy setting is now customizable, which enables submissions to be public or private (globally).
- __ThreatConnect__
Added 8 new commands.
- ***tc-get-group***
- ***tc-get-group-attributes***
- ***tc-get-group-security-labels***
- ***tc-get-group-tags***
- ***tc-download-document***
- ***tc-get-group-indicators***
- ***tc-get-associated-groups***
- ***tc-associate-group-to-group***
- __Slack v2__
Added support for multi-line JSON when creating an incident in a direct message.
- __DUO Admin__
Fixed an issue in the ***duoadmin-get-authentication-logs-by-user*** command.
- __Carbon Black Enterprise Protection V2__
Fixed an issue with the ***fetch-incidents*** command where users received an error when there were no incidents to fetch.

---
Scripts

New Script
- __PadZeros__
Adds zeros (0) to the beginning of the string, until the string reaches the specified length.

6 Improved Scripts
- __IdentifyAttachedEmail__
Fixed an issue where in some cases output was not set to the context.
- __HTMLDocsAutomation__
- Added the *permissions* argument with the following options:
- **per-command** - the permissions entry will be displayed in every command section.
- ***global*** - the permissions entry will be displayed once, in its own section.
- ***none*** - if there are no permissions required for this integration, there will be no permissions section.
- Added a comment with an HTML example showing how to manually add an image to each command HTML section.
- Fixed an issue in the arguments descriptions.
- __SlackAsk__
Added support for users to reply within a thread to messages sent from the Demisto integration.
- __FindSimilarIncidents__
Added support for list values in context keys and incident fields.
- __CommonServerPython__
Added the ***parse_date_string*** function, which parses the date string to a datetime object.
- __ParseEmailFiles__
Removed the hyperlink from links.

---
Playbooks

16 New Playbooks
- __PAN-OS - Block IP - Custom Block Rule__
- This playbook blocks IP addresses using Custom Block Rules in Palo Alto Networks Panorama or Firewall.
- The playbook receives malicious IP addresses as inputs, creates a custom bi-directional rule to block them, and commits the configuration.
- __Calculate Severity By Email Authenticity__
Calculates a severity according to the verdict coming from the CheckEmailAuthenticity script.
- __PAN-OS Log Forwarding Setup And Configuration__
This playbook sets up and maintains log forwarding for the Panorama rulebase. It can be run when setting up a new instance, or as a periodic job to enforce log forwarding policy.\nYou can either update all rules and override previous profiles, or update only rules that do not have a log forwarding profile configured.
- __Prisma Cloud Remediation - AWS CloudTrail is not Enabled on the Account__
AWS Cloudtrail is a service which provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. To remediate Prisma Cloud Alert "CloudTrail is not enabled on the account", this playbook creates an S3 bucket to host Cloudtrail logs and enable Cloudtrail (includes all region events and global service events).
- __Calculate Severity By Highest DBotScore__
Calculates the incident severity level according to the highest indicator DBotScore.
- __Calculate Severity - Generic v2__
Calculate and assign the incident severity based on the highest returned severity level from the following calculations:
- DBotScores of indicators.
- Critical assets.
- Email authenticity.
- Current incident severity.
- __Calculate Severity - Standard__
Calculates and sets the incident severity based on the combination of the current incident severity, and the severity returned from the Evaluate Severity - Set By Highest DBotScore playbook.
- __Cortex XDR Incident Handling__
- This playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident.
- The playbook syncs and updates new XDR alerts that construct the incident. It enriches indicators using Threat Intelligence integrations and Palo Alto Networks AutoFocus. The incident's severity is then updated based on the indicators reputation and an analyst is assigned for manual investigation. If chosen, automated remediation with Palo Alto Networks FireWall is initiated. After a manual review by the SOC analyst, the XDR incident is closed automatically.
- ***Note*** - The XDRSyncScript used by this playbook sets data in the XDR incident fields that were released to content from the Demisto server version 5.0.0.
- For Demisto versions under 5.0.0, please follow the 'Palo Alto Networks Cortex XDR' documentation to upload the new fields manually.
- __Block IP - Generic v2__
- This playbook blocks malicious IPs using all integrations that are enabled. The playbook supports the following integrations.
- Check Point Firewall
- Palo Alto Networks MineMeld
- Palo Alto Networks PAN-OS
- Zscaler
- __PAN-OS - Block URL - Custom URL Category__
- This playbook blocks URLs using Palo Alto Networks Panorama or Firewall through Custom URL Categories.
- The playbook checks whether the input URL category already exists, and if the URLs are a part of this category. Otherwise, it will create the category, block the URLs, and commit the configuration.
- __Calculate Severity - Critical Assets v2__
- Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of "Critical" if at least one critical asset is associated with the investigation.
- Critical assets refer to: users, user groups, endpoints and endpoint groups.
- __Phishing Investigation - Generic v2__
- Use this playbook to investigate and remediate a potential phishing incident. The playbook simultaneously engages with the user that triggered the incident, while investigating the incident itself.
- The final remediation tasks are always decided by a human analyst.
- __Hybrid-analysis quick-scan__
Use this playbook to run the ***quick-scan*** command with generic-polling.
- __PAN-OS - Block IP and URL - External Dynamic List__
- This playbook blocks IP addresses and URLs using Palo Alto Networks Panorama or Firewall External Dynamic Lists.
- It checks if the EDL configuration is in place with the 'PAN-OS EDL Setup' sub-playbook (otherwise the list will be configured), and adds the input IP addresses and URLs to the relevant lists.
- __Palo Alto Networks - Malware Remediation__
This Playbook performs malicious IOC remediation using Palo Alto Networks integrations.
- __PAN-OS - Block IP - Static Address Group__
- This playbook blocks IP addresses using Static Address Groups in Palo Alto Networks Panorama or Firewall.
- The playbook receives malicious IP addresses and an address group name as inputs, verifies that the addresses are not already a part of the address group, and adds them and commits the configuration.
- ***Note*** - The playbook does not block the address group communication using a policy block rule. This step will be taken once outside of the playbook.

5 Improved Playbooks
- __Phishing Investigation - Generic v2__
- Improved the **Calculate Severity - Generic v2** playbook to evaluate more accurately the severity of an incident.
- Added a check for email authenticity using SPF, DKIM and DMARC. The verdict will also appear on the summary page of phishing incidents.
- __Block URL - Generic__
- Added section headers.
- Added two sub-playbooks.
- **PAN-OS - Block URL - Custom URL Category**.
- **PAN-OS - Block IP and URL - External Dynamic List**.
- __Block IP - Generic__
- Added section headers.
- Fixed an issue with implementation of the ZScaler integration.

- __Block Indicators - Generic__
Added the sub-playbook **Block IP - Generic v2**.
- __PAN-OS Commit Configuration__
Improved names and the layout.

---
Incident Fields
New Incident Field
- __Email Authenticity Check__
Indicates the authenticity of the email, which is determined by using the CheckEmailAuthenticity script.