Demisto Content Release Notes for version 19.4.2 (22301)
Published on 30 April 2019
Integrations
10 New Integrations
- __ANY.RUN__
ANY.RUN is a cloud-based sandbox with interactive access.
- __Carbon Black Enterprise Protection V2__
Carbon Black Enterprise Protection is a next-generation endpoint threat prevention solution to deliver a portfolio of protection policies, real-time visibility across environments, and comprehensive compliance rule sets in a single platform.
- __Cherwell__
Cherwell is a cloud-based IT service management solution.
- __Google BigQuery__
Google BigQuery is a data warehouse for querying and analyzing large databases.
- __Microsoft Graph Mail__
Microsoft Graph lets your app get authorized access to a user's Outlook mail data in a personal or organization account.
- __Microsoft Graph User__
Unified gateway to security insights - all from a unified Microsoft Graph User API.
- __OnboardingIntegration__
Creates mock email incidents using one of two randomly selected HTML templates. Textual content is randomly generated and defined to include some text (100 random words) and the following data (at least 5 of each data type): IP addresses, URLs, SHA-1 hashes, SHA-256 hashes, MD5 hashes, email addresses, domain names.
- __Symantec Management Center__
Symantec Management Center provides a unified management environment for the Symantec Security Platform portfolio of products.
- __FortiSIEM__
Search and update FortiSIEM events, and manage resource lists.
- __OPSWAT-Metadefender v2__
OPSWAT-Metadefender is a multi-scanning engine that uses 30+ anti-malware engines to scan files for threats.
17 Improved Integrations
- __urlscan.io__
Added support for the __urlscan-get-http-transactions__ script.
- __ServiceNow__
Added an option to select the timestamp field to filter by when fetching incidents. Enforcement of the fetch incidents limit and last run.
- __CounterTack__
Added two commands.
- ___countertack-search-endpoints___
- ___countertack-search-behaviors___
- __Gmail__
Added two commands.
- ___gmail-list-filters___
- ___gmail-remove-filter commands___
- __Fidelis Elevate Network__
Fixed the _ioc_ filter in the ___fidelis-list-alerts___ command.
- __Atlassian Jira v2__
Improved handling of _IssueTypeName_ and _issueJson_ in the ___jira-create-issue___ command.
- __PagerDuty v2__
Added two commands.
- ___PagerDuty-get-incident-data___
- ___PagerDuty-get-service-keys___
- __Anomali ThreatStream__
Improved handling of partial responses from Anomali ThreatStream.
- __CrowdStrike Falcon Intel__
Fixed how dates are parsed in the ___cs-report___ command.
- __Intezer__
Several improvements to the ___file___ command.
- Added the _sha256_ argument.
- Invalid hashes are now regarded as a warning.
- __Palo Alto Networks Magnifier__
Fixed the integration name and logo.
- __Mail Sender (New)__
Improved error messages.
- __Palo Alto Networks Minemeld__
Fixed the integration display name.
- __Palo Alto Networks PAN-OS__
Added eight commands.
- ___panorama-list-edl___
- ___panorama-get-edl___
- ___panorama-create-edl___
- ___panorama-edit-edl___
- ___panorama-delete-edl___
- ___panorama-refresh-edl___
- ___panorama-register-ip-tag___
- ___panorama-unregister-ip-tag___
- __VirusTotal__
Added the _fullResponseGlobal_ parameter. The parameter determines whether to return all results, which can number in the thousands. If _true_, returns all results and overrides the _fullResponse_ and _long_ arguments (if they are set to "false") in a command. If _false_, the _fullResponse_ and _long_ arguments in the command determines how results are returned.
- __Palo Alto Networks WildFire__
- Improved the __file__ command.
- Added the _md5_ and _sha256_ arguments.
- Invalid hashes are now regarded as a warning.
- Improved the ___wildfire-report___ command.
- Added the _sha256_ argument.
- Deprecated the _hash_ argument.
- Added the __wildfire-get-sample__ command.
- __Zscaler__
Added the ___zscaler-sandbox-report___ command.
Deprecated
- __OPSWAT-Metadefender (Deprecated)__
Deprecated. Use the OPSWAT-Metadefender v2 integration instead.
---
Scripts
11 New Scripts
- __CherwellCreateIncident__
A sample script that creates an incident in Cherwell. The script wraps the __cherwell-create-business-object__ command in the Cherwell integration.
- __CherwellGetIncident__
A sample script that retrieves an incident from Cherwell. The script wraps the __cherwell-get-business-object__ command of the Cherwell integration.
- __CherwellIncidentOwnTask__
A sample script that links an incident to a task in Cherwell. The script wraps the __cherwell-link-business-object__ command of the Cherwell integration.
- __CherwellIncidentUnlinkTask__
A sample script that unlinks a task from an incident in Cherwell. The script wraps the __cherwell-unlink-business-object__ command of the Cherwell integration.
- __CherwellQueryIncidents__
A sample script that queries incidents from Cherwell. The script wraps the __cherwell-query-business-object__ command of the Cherwell integration.
- __CherwellUpdateIncident__
A sample script that updates an incident in Cherwell. The script wraps the __cherwell-update-business-object__ command of the Cherwell integration.
- __DBotPredictPhishingWords__
Predict text label using a pre-trained machine learning phishing model, and get the most important words used in the classification decision.
- __FileToBase64List__
Encode a file as base64 and store it in a Demisto list.
- __DemistoLeaveAllInvestigations__
Removes a user from all investigations of which they are involved in (clears the incidents in the left pane). Incidents that the user owns will remain in the left pane. Requires Demisto REST API integration to be configured for the server.
- __OnboardingCleanup__
Cleans up the incidents and indicators created by the __OnboardingIntegration__.
- __UrlscanGetHttpTransactions__
Provides the functionality to get the HTTP transactions made for a given URL using the UrlScan integration. To properly use this script, use it inside a playbook, and select to run it without a worker. This require less system resources in the polling action. In the playbook task that executes this script, go to the __Advanced__ section and select the __Run without a worker__ checkbox.
12 Improved Scripts
- __CheckDockerImageAvailable__
Improved the script to work with older demisto/python images.
- __ParseEmailFiles__
- Improved email file type detection.
- Fixed an issue when EML files have special characters.
- __ADGetUser__
Enabled script execution with _Active Directory Query_ instances only.
- __CommonServerPython__
Added the _list_ type to raw_response in the ___raw_outputs___ command.
- __ExtractIndicatorsFromWordFile__
The automation executes as expected when the entry is a single object.
- __FetchFromInstance__
Improved script execution.
- __GenericPollingScheduledTask__
Added an option to pass CSV arguments and values to _pollingCommandArgName_.
- __ReadPDFFile__
Added an error when reading image files fails.
- __RunPollingCommand__
Added an option to pass CSV arguments and values to _pollingCommandArgName_.
- __ScheduleGenericPolling__
Added an option to pass CSV arguments and values to _pollingCommandArgName_.
- __UserEnrichAD__
Updated a dependency for the __activedir__ brand.
- __IsIPInRanges__
- Removed the condition tag.
- Improved description and of IP range input.
---
Playbooks
16 New Playbooks
- __Account Enrichment - Generic v2__
- Reduced indicator duplication.
- Improved task names, descriptions, input selectors, and auto-extract settings.
- The new version does not provide reputation.
- __Detonate File - ANYRUN__
Detonates one or more files using the ANY.RUN sandbox integration. Returns relevant reports to the War Room, and file reputations to the context data. All file types are supported.
- __Detonate File From URL - ANYRUN__
Detonates one or more remote files using the ANY.RUN sandbox integration. Returns relevant reports to the War Room, and file reputations to the context data. This type of analysis works only for direct download links.
- __Detonate URL - ANYRUN__
Detonates one or more URLs using the ANY.RUN sandbox integration. Returns relevant reports to the War Room, and URL reputations to the context data.
- __Domain Enrichment - Generic v2__
- Reduced indicator duplication.
- Improved task names, descriptions, and auto-extract settings.
- The new version does not provide reputation.
- __Email Address Enrichment - Generic v2__
- Reduced indicator duplication.
- Improved playbook performance and execution.
- The new version does not provide reputation.
- __Endpoint Enrichment - Generic v2__
- Reduced indicator duplication.
- Improved task names and descriptions, and auto-extract settings.
- Improved playbook performance and execution, and DT selector implementation.
- Removed a deprecated SentinelOne integration.
- __Entity Enrichment - Generic v2__
Improved playbook and sub-playbook performance and execution.
- __Entity Enrichment - Phishing v2__
Customized for generic phishing investigations to avoid enrichment of irrelevant entities.
- __File Enrichment - Generic v2__
- Reduced indicator duplication.
- Removed redundant sub-playbooks.
- Simplified playbook structure and conditions.
- The new version does not provide reputation.
- __IP Enrichment - Generic v2__
- Added two separate sub-playbooks; one for internal IPs and one for external IPs.
- The new version does not provide reputation.
- __IP Enrichment - External - Generic v2__
- Added a new generic playbook for external IP enrichment
- The new playbook does not provide reputation.
- __IP Enrichment - Internal - Generic v2__
- Added a new generic playbook for internal IP enrichment
- The new playbook does not provide reputation.
- __PhishingDemo-Onboarding__
This playbook is part of the on-boarding experience, and focuses on phishing scenarios. To use this playbook, you'll need to enable the __on-boarding__ integration and configure incidents of type _Phishing_. For more information, refer to the on-boarding walkthroughs in the help section.
- __Phishing Investigation - Generic v2__
Improved entity enrichment to avoid enrichment of irrelevant entities.
- __URL Enrichment - Generic v2__
- Reduced indicator duplication.
- Removed reputation commands.
- Simplified playbook structure and implementation.
- The new version does not provide reputation.
5 Improved Playbooks
- __Detonate File - Generic__
Added the __ANYRUN File Detonation__ playbook.
- __Detonate URL - Generic__
Added the __ANYRUN URL Detonation__ playbook.
- __Email Address Enrichment - Generic__
Adjusted version.
- __GenericPolling__
Added support for CSV arguments and values for _PollingCommandArgName_.
- __Process Email - Generic__
_SetIncident_ now retrieves data from the correct context fields.
---
Incident Layouts
Improved Incident Layout
- __Phishing - Summary__
Updated phishing incident type layout.
---
Classification & Mapping
New Classification & Mapping
- __OnboardingIntegration__
Mapping to phishing incidents.