Demisto-py

Demisto Content Release Notes for version 19.9.0 (28765)
Published on 03 September 2019
Integrations

2 New Integrations
- __ZeroFOX__
Cloud-based SaaS to detect risks found on social media and digital channels.
- __Google Cloud Storage__
Google Cloud Storage is a RESTful online file storage web service for storing and accessing data on Google Cloud Platform infrastructure.

25 Improved Integrations
- __AWS - S3__
The following instance parameters now work as expected.
- Proxy
- Trust any certificate
- __IBM QRadar__
- Fixed an issue in which the ***qradar-get-search-results*** command failed when the root of the result contained a non-ASCII character.
- Fixed an issue in which the ***qradar-offense-by-id*** command failed if an SEC header was missing when trying to get an offense type.
- __Mail Sender (New)__
Improved debug failure logging when testing the integration instance configuration.
- __Cisco Umbrella Investigate__
Added several context outputs to the following commands to support Demisto 5.0.
- ***domain***
- ***umbrella-get-whois-for-domain***
- __FortiGate__
Added 3 commannds.
- ***fortigate-ban-ip***
- ***fortigate-unban-ip***
- ***fortigate-get-banned-ips***
- __EWS v2__
- Improved implementation of the ***ews-get-contacts*** command.
- Improved security of the Exchange 365 compliance search.
- Improved security within the Docker container.
- __Palo Alto Networks Cortex XDR - Investigation and Response__
Improved the error message for cases when no query arguments are supplied for the ***xdr-get-incidents*** command.
- __McAfee Advanced Threat Defense__
Improved handling of DBotScore outputs in cases of unsuccessful file detonation using the ***atd-file-upload*** command.
- __Palo Alto Networks Minemeld__
Added support for non-root URL structures.
- __ServiceNow__
Fixed an issue with the ***servicenow-upload-file*** command when the uploaded file is an info file.
- __Censys__
- Added an error message when results are not returned. Previously, an error was returned.
- Added proxy support.
- __AWS - Lambda__
The following instance parameters now work as expected.
- Proxy
- Trust any certificate
- __Slack v2 **(Available from Demisto 5.0 *)**__
- Added 6 commands.
- ***close-channel*** (now with optional channel argument).
- ***slack-create-channel***
- ***slack-invite-to-channel***
- ***slack-kick-from-channel***
- ***slack-rename-channel***
- ***slack-get-user-details***
- Added support for removing the Slack admin (API token owner) when mirroring an incident.
- __Tenable.sc__
- Added the **tenable-sc-get-all-scan-results** command, which retrieves all scan results in Tenable SC.
- Added the **Port** and **Protocol** fields to the *Hosts* output in the ***get-vulnerability*** command.
- __Netskope__
The ***netskope-alerts*** command now returns full raw response data when you specify the *raw-repsonse* argument.
- __SplunkPy__
Added the *Fetch limit* parameter to the instance configuration, which specifies the maximum number of results to fetch.
- __Palo Alto Networks AutoFocus V2__
- Updated Palo Alto Networks AutoFocus V2 Indicators context outputs to support version 5.0.
- __Symantec Endpoint Protection V2__
- Added the ***sep-identify-old-clients*** command, which identifies endpoints with a running version that is inconsistent with the target version or the desired version.
- Added the *groupName* argument to the ***sep-endpoints-info***, which enables you to specify a group for which to search.
- Added several context outputs for the ***!sep-endpoints-info*** command:
- Group
- RunningVersion
- TargetVersion
- PatternIdx
- OnlineStatus
- UpdateTime
- __Palo Alto Networks PAN-OS__
- Added 3 commands.
- ***panorama-query-logs***
- ***panorama-check-logs-status***
- ***panorama-get-logs***
- Added the **Panorama Query Logs** playbook.
- Added *log-forwarding* as an option for the *element_to_change* argument in the ***panorama-edit-rule*** command.
- Added support for shared objects and rules in Panorama instances.
- Added the *device-group* argument to all relevant commands.
- __Palo Alto Networks WildFire v2__
Fixed an issue in which the ***wildfire-report*** command failed when setting the *verbose* argument to *true*.
- __AWS - EC2__
- Added several arguments to the ***authorize_security_group_ingress*** command.
- The following instance parameters now work as expected.
- Proxy
- Trust any certificate
- __Remedy On-Demand__
Removed the trailing slash from the login URL, which caused a bad request response.
- __Threat Crowd__
- Added DbotScore calculation to the following commands.
- ***threat-crowd-ip***
- ***threat-crowd-domain***
- __LogRhythmRest__
- Fixed an issue in the ***lr-get-alarm-events*** command when *DrillDownLogs* is empty.
- Improved handling of the ***lr-get-alarm-events-by-id*** command when there are no events for the alarm.
- __Carbon Black Enterprise Response__
Added the *get_related* argument to the ***cb-get-process*** command. If "true", will get process siblings, parent, and children.

---
Scripts

5 New Scripts
- __SlackAsk **(Available from Demisto 5.0 *)**__
Sends a message (question) either to a user (in a direct message) or to a channel. The message includes predefined reply options. The response can also close a task (might be conditional) in a playbook.
- __EntryWidgetPieAlertsXDR__
Entry widget that returns a pie chart of alerts for a specified Cortex XDR incident by alert severity (low, medium, and high).
- __EntryWidgetNumberUsersXDR__
Entry widget that returns the number of users that participated in a specified Cortex XDR incident.
- __ShowLocationOnMap__
Show indicator geo location on map.
- __EntryWidgetNumberHostsXDR__
Entry widget that returns the number of hosts in a Cortex XDR incident.

7 Improved Scripts
- __XDRSyncScript__
- Deprecated the *playbook_to_run* argument. When an incident is updated in XDR and the script updates the incident in Demisto, by default, the playbook is rerun.
- The next sync is now rescheduled even if the current sync fails.
- __FindSimilarIncidents__
- Added support for the "\n" character in incident fields.
- Fixed an issue where duplicate incidents were created at the same time.
- Added support for list values in the context key value.
- __SendEmailToManager__
Fixed an issue with arguments that are passed to the *addEntitlement* function.
- __MicrosoftTeamsAsk **(Available from Demisto 5.0 *)**__
- Added the *channel* argument.
- Improved script descriptions.
- __ParseEmailFiles__
- Improved EML file type detection.
- Added the **Email.AttachmentNames** output, which contains a list of the names of the email attachments.
- __IdentifyAttachedEmail__
The script now detects additional email attachment types.
- __CommonServerPython__
- Improved the *IntegrationLogger* function.
- Added support for IPv6 addresses in the ***is_ip_valid*** command.
- Added the ***get_demisto_version*** function, which returns the Demisto server version and build number.

Deprecated Script
- __SlackAskUser **(Available from Demisto 5.0 *)**__
Deprecated. Use the SlackAsk script instead.

Removed Script
- __IndicatorRelatedIncientBySeverity__

---
Playbooks
5 New Playbooks
- __Failed Login Playbook - Slack v2 **(Available from Demisto 5.0 *)**__
When there are three failed login attempts to Demisto that originate from the same user ID, a direct message is sent to the user on Slack requesting that they confirm the activity. If the reply is "no", then the incident severity is set to "high". If the reply is "yes", then another direct message is sent to the user asking if they require a password reset in AD.
- __Cortex XDR Incident Sync__
Compares incidents in Palo Alto Networks Cortex XDR and Demisto, and updates the incidents appropriately. When an incident is updated in Demisto, the XDRSyncScript will update the incident in XDR. When an incident is updated in XDR, the XDRSyncScript will update the incident fields in Demisto and rerun the current playbook.
- __PAN-OS DAG Configuration__
Added support for creating dynamic address groups (DAGs). You can attach DAGs and add IP addresses to a rule.
- __PAN-OS EDL Setup__
Added support for configuring an external dynamic list (EDL). The playbook syncs the remote file (if it exists) to Demisto. The playbook also creates a rule and attaches the EDL to the rule.
- __PAN-OS Commit Configuration__
Automatically determines the operable product (Firewall or Panorama), and commits accordingly. This playbook replaces the deprecated **panorama-commit-configuration** playbook.

6 Improved Playbooks
- __Panorama Query Logs__
Added a playbook that handles querying logs in Palo Alto Networks PAN-OS.
- __Dedup - Generic__
Added the *TimeField* input.
- __Process Email - Generic__
The playbook now uses *IdentifyAttachedEmail* to detect additional email attachment types.
- __ATD - Detonate File__
Improved playbook implementation by excluding "-1" TaskIds from all playbook tasks.
- __Detonate URL - McAfee ATD__
Improved playbook implementation by excluding "-1" TaskIds from all playbook tasks.
- __Failed Login Playbook With Slack__
Added *toversion*.

2 Deprecated Playbooks
- __Failed Login Playbook With Slack__
Deprecated. Use the **Failed Login - Slack v2** playbook instead.
- __PanoramaCommitConfiguration__
This playbook is deprecated. use playbook-Pan-OS_Commit_Configuration instead to automatically determine between firewall or panorama before committing
---
Reports

20 Improved Reports
- __Mean time to Resolve by Incident Owner (Last 2 Quarters)__
Updated the display values of the status column.
- __Open Incidents__
Updated the display values of the status column.
- __Daily incidents__
Updated the display values of the status column.
- __Critical and High incidents__
Updated the display values of the status column.
- __Last 7 days closed incidents__
Updated the display values of the status column.
- __Critical and High incidents__
Updated the display values of the status column.
- __Last 30 days closed incidents__
Updated the display values of the status column.
- __Shift summary report__
Updated the display values of the status column.
- __Daily incidents__
Updated the display values of the status column.
- __Open Incidents__
Updated the display values of the status column.
- __Last 7 days incidents__
Updated the display values of the status column.
- __Last 24 hours incidents__
Updated the display values of the status column.
- __Daily incidents__
Updated the display values of the status column.
- __Unknown severity incidents__
Updated the display values of the status column.
- __Last 30 days incidents__
Updated the display values of the status column.
- __Investigation Summary__
Updated the display values of the status column.
- __Late Incidents__
Updated the display values of the status column.
- __Mean time to Resolve by Incident Type (Last 2 Quarters)__
Updated the display values of the status column.
- __Last 24 hours closed incidents__
Updated the display values of the status column.
- __Investigation Summary__
Updated the display values of the status column.

---
Incident Fields
Added several incident fields to the **Cortex XDR Incident** incident type. **(Available from Demisto 5.0 *)**

---
Incident Layouts

1 New Incident Layouts
- __Cortex XDR Incident - Summary__
Added a layout for the **Cortex XDR Incident** incident type. **(Available from Demisto 5.0)**.

4 Improved Incident Layouts
- __ipRep - Indicator Details__
Added the **IP** indicator layout.
- __unifiedFileRep - Indicator Details__
Added the **unifiedFile** indicator layout.
- __urlRep - Indicator Details__
Added the **URL** indicator layout.
- __Phishing - Summary__
Added a new Phishing layout. **(Available from Demisto 5.0 *)**.

Removed Incident Layouts
- __layout-indicatorsDetails-ipEscaped__

---
Classification & Mapping

New Classification & Mapping
- __Cortex XDR - IR__
Added new mapping for the Cortex XDR integration. The integration converts an incident in XDR to an incident in Demisto, with the incident type
**Cortex XDR Incident**. **(Available from Demisto 5.0 *)**.

4 Improved Classification & Mapping
- __EWS v2__
Added **Email HTML** mapping.
- __OnboardingIntegration__
Added **Email HTML** mapping.
- __mail-listener__
Added **Email HTML** mapping.
- __Gmail__
Added **Email HTML** mapping.

---
Reputations

Removed Reputations
- __reputation-ipEscaped__



* This content requires Demisto 5.0, which is available for private beta evaluation. For more information, send a message to betademisto.com

Demisto Content Release Notes for version 19.8.0 (26837)
Published on 06 August 2019
Integrations

3 New Integrations
- __Cofense Intelligence__
Use the Cofense Intelligence integration to check the reputation of URLs, IP addresses, file hashes, and email addresses.
- __Uptycs__
Use the Uptycs integration to fetch data from the Uptycs database.
- __AWS - Lambda__
Amazon Web Services Serverless Compute service (lambda).

19 Improved Integrations
- __IBM QRadar__
* Fixed an issue in which the fetch incidents function would fail when there were non-ASCII characters in the data.
* Fixed an issue in which the fetch incidents function would ignore the filter if the maximum number of offenses set in the instance configuration were fetched in a single fetch.
* Improved error messages for fetch-incidents.
* Added the *Required Permissions* information in the detailed description section.
- __Palo Alto Networks Cortex XDR - Investigation and Response__
Added instructions in the integration instance Detailed Description section how to generate an API Key, API Key ID, and how to copy the integration URL.
- __Whois__
Added support for Socks and HTTP Connect proxy.
- __Anomali ThreatStream v2__
Fixed an issue with the *description* argument in the ***threatstream-create-model*** command.
- __EWS v2__
- Improved memory resource usage.
- Added the ***ews-mark-items-as-read*** command.
- Added the *Mark fetched emails as read* parameter to the integration instance configuration.
- Improved integration documentation.
- __SNDBOX__
* Fixed an issue with command mapping in which some commands were were not called correctly.
* Deprecated the ***detonate-file*** function.
- __VirusTotal__
Updated outputs with new indicator fields.
- __WhatIsMyBrowser__
The *Trust any certificate* parameter now works as expected.
- __PhishLabs IOC__
Fixed an issue with the **updatedAt** field.
- __Palo Alto Networks PAN-OS EDL Management__
Added the ***pan-os-edl-get-external-file-metadata*** command.
When a non-existent list is specified in the ***pan-os-edl-update-from-external-file*** command, the list is automatically created and the file data is saved to the list.
- __Fidelis Elevate Network__
Added 5 new commands.
- ***list-metadata***
- ***get-alert-by-uuid***
- ***list-alert-by-ip***
- ***download-malware-file***
- ***download-pcap-file***
- __Palo Alto Networks AutoFocus V2__
- Added to context the status of commands with the following prefixes: ***autofocus-samples-search***, ***autofocus-sessions-search***, and ***autofocus-top-tags***.
- Improved error handling for cases of no report in the ***autofocus-sample-analysis*** command.
- Improved error handling for retrieving a pending query in the ***autofocus-samples-search-results*** command.
- __Imperva Skyfence__
Improved descriptions and integration documentation.
- __Palo Alto Networks PAN-OS__
- Improved error handling for URL filtering licensing.
- Improved error handling when trying to edit an uncommitted Custom URL category.
- Added the ***panorama-list-rules*** command.
- Added *edl* as an option for the *object_type* argument in the ***panorama-custom-block-rule*** command.
- __Proofpoint TAP v2__
Modified the fetch range for the first fetch to 1 hour (the Proofpoint TAP API maximum).
- __Active Directory Query v2__
- The default query now works as expected.
- The *dn* argument now works as expected.
- Added support for custom SSL certificates, by using the Docker environment variable: SSL_CERT_FILE.
- __McAfee ePO__
Added the ***epo-move-system*** command.
- __SentinelOne V2__
Added 3 commands.
- ***sentinelone-disconnect-agent***
- ***sentinelone-connect-agent***
- ***sentinelone-broadcast-message***.
- __Awake Security__
The ***Trust any certificate*** parameter now works as expected.
- __Cylance Protect v2__
- Improved handling of error messages.
- Improved logging functionality.
- Added the ***Trust any certificate*** parameter.

Deprecated Integration
- __Phishme Intelligence__
Deprecated. Use the Cofense Intelligence integration instead.

---
Scripts

2 Improved Scripts
- __StixParser__
- Fixed an issue in which an unknown STIX pattern corrupts script presentation.
- Fixed an issue in which duplicate indicators were created.
- __ParseEmailFiles__
- Added support for EML file attachments with a generic "data" type.
- Added support for smime signed EML file attachments.

Deprecated Script
- __CBSearch__
Deprecated. Use the ***cb-binary*** command and the ***cb-get-processes*** command instead.

---
Playbooks

2 New Playbooks
- __Uptycs - Bad IP Incident__
Gets information about processes that open connections to known bad IPs.
- __Uptycs - Outbound Connection to Threat IOC Incident__
Get information about connections from IOC incidents.

Improved Playbooks
- __Process Email - Generic__
Added support for EML file attachments with a generic "data" type.

Demisto Content Release Notes for version 19.7.2 (26095)
Published on 23 July 2019
Integrations

6 New Integrations
- __Cisco ISE__
Use the Cisco ISE integration to get endpoint data, and to manage and update endpoints and ANC policies.
- __Palo Alto Networks Cortex XDR - Investigation and Response__
Use the Palo Alto Networks Cortex XDR integration to get a list of incidents and detailed incident data, and to update incident fields.
- __Proofpoint TAP v2__
Use the Proofpoint Targeted Attack Protection (TAP) integration to protect against and provide additional visibility into phishing and other malicious email attacks.
- __URLhaus__
Use the URLhaus integration to get information about URLs and domains, and to download malware samples.
- __Atlassian Confluence Server__
Use the Atlassian Confluence Server API integration to manage your Confluence spaces and content.
- __VulnDB__
Use the VulnDB integration to get information about vulnerabilities for various products, including operating systems, applications, and so on.

18 Improved Integrations
- __Cisco AMP__
- Changed the name of the *Credential* parameter to *Client ID*.
- Added information in the Detailed Description section on how to generate a Client ID and API Key.
- __MaxMind GeoIP2__
The ***Trust any certificate*** parameter now works as expected.
- __Rapid7 Nexpose__
Fixed an issue in the ***nexpose-get-asset*** command in which the command fails to handle dates without milliseconds.
- __SumoLogic__
Fixed an issue with fetching incidents by adding the *timeZone* parameter.
- __LogRhythmRest__
Added 5 new commands.
- ***lr-get-hosts***
- ***lr-get-alarm-data***
- ***lr-get-alarm-events***
- ***lr-get-networks***
- ***lr-get-persons***
- __Windows Defender Advanced Threat Protection__
Improved handling of cases when the *isAadJoined* key is missing from API responses.
- __Netcraft__
Fixed an issue in the ***netcraft-report-attack*** command.
- __Google Vault__
- Improved error handling.
- Added support for new integration parameters.
- *Use system proxy settings*
- *Trust any certificate*
- __Zendesk__
- Attachments are now visible in context when you run the ***zendesk-ticket-details*** command.
- Added a test playbook.
- __CVE Search__
Fixed an issue in which *UserAgent* was not present in the request.
- __Cisco Umbrella Investigate__
The *Trust any certificate* parameter now works as expected.
- __Atlassian Jira (v2)__
Fixed an issue when fetching incidents in which multiple incidents with the same ticket ID were fetched.
- __EWS Mail Sender__
Added support for embedding inline images in emails.
- __MISP V2__
Added 4 new commands.
- ***misp-add-events-from-feed***
- ***misp-add-ip-object commands***
- ***misp-add-domain-object commands***
- ***misp-add-email-object commands***
- ***misp-add-generic-object commands***
- __Vertica__
Improved connection failure logging.
- __urlscan.io__
- Screenshots are now fetched when the *Trust any certificate* parameter is selected.
- The *Trust any certificate* parameter now works as expected.
- __CrowdStrike Falcon Sandbox__
- Fixed DBot score mapping.
- Fixed an issue in which an indicator was undefined in DBot context.
- __Okta__
Fixed an issue in which filters were double encoded, and results are now returned according to the specified filter, as expected.

---
Scripts

New Script
- __XDRSyncScript__
This script compares between Demisto incidents and incidents in Palo Alto Networks Cortex XDR, and updates both incidents mutually. This script always uses the ***xdr-get-incident-extra-data*** command, and outputs to the entire incident JSON to context. If the incident was updated in Cortex XDR, the Demisto incident will be updated accordingly, and the playbook will rerun. If the incident is updated in Demisto, then the script will execute the ***xdr-update-incident*** command and update the incident in Cortex XDR.

Improved Script
- __FindSimilarIncidents__
Improved wording in the script.

---
Playbooks


Improved Playbook
- __Process Email - Generic__
Fixed an issue in which the script rendered an image when there is no HTML in the email.