Demisto Content Release Notes for version 19.9.0 (28765)
Published on 03 September 2019
Integrations
2 New Integrations
- __ZeroFOX__
Cloud-based SaaS to detect risks found on social media and digital channels.
- __Google Cloud Storage__
Google Cloud Storage is a RESTful online file storage web service for storing and accessing data on Google Cloud Platform infrastructure.
25 Improved Integrations
- __AWS - S3__
The following instance parameters now work as expected.
- Proxy
- Trust any certificate
- __IBM QRadar__
- Fixed an issue in which the ***qradar-get-search-results*** command failed when the root of the result contained a non-ASCII character.
- Fixed an issue in which the ***qradar-offense-by-id*** command failed if an SEC header was missing when trying to get an offense type.
- __Mail Sender (New)__
Improved debug failure logging when testing the integration instance configuration.
- __Cisco Umbrella Investigate__
Added several context outputs to the following commands to support Demisto 5.0.
- ***domain***
- ***umbrella-get-whois-for-domain***
- __FortiGate__
Added 3 commannds.
- ***fortigate-ban-ip***
- ***fortigate-unban-ip***
- ***fortigate-get-banned-ips***
- __EWS v2__
- Improved implementation of the ***ews-get-contacts*** command.
- Improved security of the Exchange 365 compliance search.
- Improved security within the Docker container.
- __Palo Alto Networks Cortex XDR - Investigation and Response__
Improved the error message for cases when no query arguments are supplied for the ***xdr-get-incidents*** command.
- __McAfee Advanced Threat Defense__
Improved handling of DBotScore outputs in cases of unsuccessful file detonation using the ***atd-file-upload*** command.
- __Palo Alto Networks Minemeld__
Added support for non-root URL structures.
- __ServiceNow__
Fixed an issue with the ***servicenow-upload-file*** command when the uploaded file is an info file.
- __Censys__
- Added an error message when results are not returned. Previously, an error was returned.
- Added proxy support.
- __AWS - Lambda__
The following instance parameters now work as expected.
- Proxy
- Trust any certificate
- __Slack v2 **(Available from Demisto 5.0 *)**__
- Added 6 commands.
- ***close-channel*** (now with optional channel argument).
- ***slack-create-channel***
- ***slack-invite-to-channel***
- ***slack-kick-from-channel***
- ***slack-rename-channel***
- ***slack-get-user-details***
- Added support for removing the Slack admin (API token owner) when mirroring an incident.
- __Tenable.sc__
- Added the **tenable-sc-get-all-scan-results** command, which retrieves all scan results in Tenable SC.
- Added the **Port** and **Protocol** fields to the *Hosts* output in the ***get-vulnerability*** command.
- __Netskope__
The ***netskope-alerts*** command now returns full raw response data when you specify the *raw-repsonse* argument.
- __SplunkPy__
Added the *Fetch limit* parameter to the instance configuration, which specifies the maximum number of results to fetch.
- __Palo Alto Networks AutoFocus V2__
- Updated Palo Alto Networks AutoFocus V2 Indicators context outputs to support version 5.0.
- __Symantec Endpoint Protection V2__
- Added the ***sep-identify-old-clients*** command, which identifies endpoints with a running version that is inconsistent with the target version or the desired version.
- Added the *groupName* argument to the ***sep-endpoints-info***, which enables you to specify a group for which to search.
- Added several context outputs for the ***!sep-endpoints-info*** command:
- Group
- RunningVersion
- TargetVersion
- PatternIdx
- OnlineStatus
- UpdateTime
- __Palo Alto Networks PAN-OS__
- Added 3 commands.
- ***panorama-query-logs***
- ***panorama-check-logs-status***
- ***panorama-get-logs***
- Added the **Panorama Query Logs** playbook.
- Added *log-forwarding* as an option for the *element_to_change* argument in the ***panorama-edit-rule*** command.
- Added support for shared objects and rules in Panorama instances.
- Added the *device-group* argument to all relevant commands.
- __Palo Alto Networks WildFire v2__
Fixed an issue in which the ***wildfire-report*** command failed when setting the *verbose* argument to *true*.
- __AWS - EC2__
- Added several arguments to the ***authorize_security_group_ingress*** command.
- The following instance parameters now work as expected.
- Proxy
- Trust any certificate
- __Remedy On-Demand__
Removed the trailing slash from the login URL, which caused a bad request response.
- __Threat Crowd__
- Added DbotScore calculation to the following commands.
- ***threat-crowd-ip***
- ***threat-crowd-domain***
- __LogRhythmRest__
- Fixed an issue in the ***lr-get-alarm-events*** command when *DrillDownLogs* is empty.
- Improved handling of the ***lr-get-alarm-events-by-id*** command when there are no events for the alarm.
- __Carbon Black Enterprise Response__
Added the *get_related* argument to the ***cb-get-process*** command. If "true", will get process siblings, parent, and children.
---
Scripts
5 New Scripts
- __SlackAsk **(Available from Demisto 5.0 *)**__
Sends a message (question) either to a user (in a direct message) or to a channel. The message includes predefined reply options. The response can also close a task (might be conditional) in a playbook.
- __EntryWidgetPieAlertsXDR__
Entry widget that returns a pie chart of alerts for a specified Cortex XDR incident by alert severity (low, medium, and high).
- __EntryWidgetNumberUsersXDR__
Entry widget that returns the number of users that participated in a specified Cortex XDR incident.
- __ShowLocationOnMap__
Show indicator geo location on map.
- __EntryWidgetNumberHostsXDR__
Entry widget that returns the number of hosts in a Cortex XDR incident.
7 Improved Scripts
- __XDRSyncScript__
- Deprecated the *playbook_to_run* argument. When an incident is updated in XDR and the script updates the incident in Demisto, by default, the playbook is rerun.
- The next sync is now rescheduled even if the current sync fails.
- __FindSimilarIncidents__
- Added support for the "\n" character in incident fields.
- Fixed an issue where duplicate incidents were created at the same time.
- Added support for list values in the context key value.
- __SendEmailToManager__
Fixed an issue with arguments that are passed to the *addEntitlement* function.
- __MicrosoftTeamsAsk **(Available from Demisto 5.0 *)**__
- Added the *channel* argument.
- Improved script descriptions.
- __ParseEmailFiles__
- Improved EML file type detection.
- Added the **Email.AttachmentNames** output, which contains a list of the names of the email attachments.
- __IdentifyAttachedEmail__
The script now detects additional email attachment types.
- __CommonServerPython__
- Improved the *IntegrationLogger* function.
- Added support for IPv6 addresses in the ***is_ip_valid*** command.
- Added the ***get_demisto_version*** function, which returns the Demisto server version and build number.
Deprecated Script
- __SlackAskUser **(Available from Demisto 5.0 *)**__
Deprecated. Use the SlackAsk script instead.
Removed Script
- __IndicatorRelatedIncientBySeverity__
---
Playbooks
5 New Playbooks
- __Failed Login Playbook - Slack v2 **(Available from Demisto 5.0 *)**__
When there are three failed login attempts to Demisto that originate from the same user ID, a direct message is sent to the user on Slack requesting that they confirm the activity. If the reply is "no", then the incident severity is set to "high". If the reply is "yes", then another direct message is sent to the user asking if they require a password reset in AD.
- __Cortex XDR Incident Sync__
Compares incidents in Palo Alto Networks Cortex XDR and Demisto, and updates the incidents appropriately. When an incident is updated in Demisto, the XDRSyncScript will update the incident in XDR. When an incident is updated in XDR, the XDRSyncScript will update the incident fields in Demisto and rerun the current playbook.
- __PAN-OS DAG Configuration__
Added support for creating dynamic address groups (DAGs). You can attach DAGs and add IP addresses to a rule.
- __PAN-OS EDL Setup__
Added support for configuring an external dynamic list (EDL). The playbook syncs the remote file (if it exists) to Demisto. The playbook also creates a rule and attaches the EDL to the rule.
- __PAN-OS Commit Configuration__
Automatically determines the operable product (Firewall or Panorama), and commits accordingly. This playbook replaces the deprecated **panorama-commit-configuration** playbook.
6 Improved Playbooks
- __Panorama Query Logs__
Added a playbook that handles querying logs in Palo Alto Networks PAN-OS.
- __Dedup - Generic__
Added the *TimeField* input.
- __Process Email - Generic__
The playbook now uses *IdentifyAttachedEmail* to detect additional email attachment types.
- __ATD - Detonate File__
Improved playbook implementation by excluding "-1" TaskIds from all playbook tasks.
- __Detonate URL - McAfee ATD__
Improved playbook implementation by excluding "-1" TaskIds from all playbook tasks.
- __Failed Login Playbook With Slack__
Added *toversion*.
2 Deprecated Playbooks
- __Failed Login Playbook With Slack__
Deprecated. Use the **Failed Login - Slack v2** playbook instead.
- __PanoramaCommitConfiguration__
This playbook is deprecated. use playbook-Pan-OS_Commit_Configuration instead to automatically determine between firewall or panorama before committing
---
Reports
20 Improved Reports
- __Mean time to Resolve by Incident Owner (Last 2 Quarters)__
Updated the display values of the status column.
- __Open Incidents__
Updated the display values of the status column.
- __Daily incidents__
Updated the display values of the status column.
- __Critical and High incidents__
Updated the display values of the status column.
- __Last 7 days closed incidents__
Updated the display values of the status column.
- __Critical and High incidents__
Updated the display values of the status column.
- __Last 30 days closed incidents__
Updated the display values of the status column.
- __Shift summary report__
Updated the display values of the status column.
- __Daily incidents__
Updated the display values of the status column.
- __Open Incidents__
Updated the display values of the status column.
- __Last 7 days incidents__
Updated the display values of the status column.
- __Last 24 hours incidents__
Updated the display values of the status column.
- __Daily incidents__
Updated the display values of the status column.
- __Unknown severity incidents__
Updated the display values of the status column.
- __Last 30 days incidents__
Updated the display values of the status column.
- __Investigation Summary__
Updated the display values of the status column.
- __Late Incidents__
Updated the display values of the status column.
- __Mean time to Resolve by Incident Type (Last 2 Quarters)__
Updated the display values of the status column.
- __Last 24 hours closed incidents__
Updated the display values of the status column.
- __Investigation Summary__
Updated the display values of the status column.
---
Incident Fields
Added several incident fields to the **Cortex XDR Incident** incident type. **(Available from Demisto 5.0 *)**
---
Incident Layouts
1 New Incident Layouts
- __Cortex XDR Incident - Summary__
Added a layout for the **Cortex XDR Incident** incident type. **(Available from Demisto 5.0)**.
4 Improved Incident Layouts
- __ipRep - Indicator Details__
Added the **IP** indicator layout.
- __unifiedFileRep - Indicator Details__
Added the **unifiedFile** indicator layout.
- __urlRep - Indicator Details__
Added the **URL** indicator layout.
- __Phishing - Summary__
Added a new Phishing layout. **(Available from Demisto 5.0 *)**.
Removed Incident Layouts
- __layout-indicatorsDetails-ipEscaped__
---
Classification & Mapping
New Classification & Mapping
- __Cortex XDR - IR__
Added new mapping for the Cortex XDR integration. The integration converts an incident in XDR to an incident in Demisto, with the incident type
**Cortex XDR Incident**. **(Available from Demisto 5.0 *)**.
4 Improved Classification & Mapping
- __EWS v2__
Added **Email HTML** mapping.
- __OnboardingIntegration__
Added **Email HTML** mapping.
- __mail-listener__
Added **Email HTML** mapping.
- __Gmail__
Added **Email HTML** mapping.
---
Reputations
Removed Reputations
- __reputation-ipEscaped__
* This content requires Demisto 5.0, which is available for private beta evaluation. For more information, send a message to betademisto.com