Demisto-py

Demisto Content Release Notes for version 19.6.1 (24849)
Published on 25 June 2019
Integrations

8 New Integrations
- __Anomali ThreatStream v2__
Use the Anomali ThreatStream integration to query and submit threats.
- __Palo Alto Networks AutoFocus v2__
Use the Palo Alto Networks AutoFocus v2 integration to access samples and session data.
- __BlueCat__
Use the BlueCat integration to enrich IP addresses and manage response policies.
- __Cloaken__
Use the Cloaken integration to unshorten URLs onsite using the power of a Tor proxy server to prevent leaking IP addresses to adversaries.
- __Cofense Triage__
Use the Cofense Triage integration to manage reports and attachments.
- __Intezer v2__
Use the Intezer v2 integration to detect and analyze malware, based on code reuse.
- __Perch__
Use the Perch integration to manage alerts, indicators, and communities.
- __ThreatX__
Use the ThreatX integration to automate enforcement and intel gathering actions.


13 Improved Integrations
- __ArcSight ESM v2__
Improved logging functionality.
- __EWS Mail Sender__
Improved handling of EWS concurrency limits.
- __Gmail__
Added proxy support.
- __ipstack__
Improved naming and descriptions.
- __Palo Alto Networks Cortex__
Added the Cortex XDR Analytics query type for fetch incidents.
- __Rasterize__
Improved error suppression.
- __McAfee ESM-v10__
- Fixed an issue with the logout process.
- Added event information to fetched alarms.
- __Server Message Block (SMB)__
Added the _server IP/hostname_ and _NETBios (AD) name_ command arguments. They still exist as optional instance parameters.
- __IntSights__
Fixed an issue with fetching incidents.
- __Microsoft Graph Security__
Improved the flow for authenticating Demisto. You need to delete all current integration instances and configure new instances using the new authentication flow. For more information, see the [Microsoft Graph Security documenation](https://support.demisto.com/hc/en-us/articles/360009780133).
- __Microsoft Graph Mail__
Improved the flow for authenticating Demisto. You need to delete all current integration instances and configure new instances using the new authentication flow. For more information, see the [Microsoft Graph Mail documenation](https://support.demisto.com/hc/en-us/articles/360022521313).
- __Microsoft Graph User__
Improved the flow for authenticating Demisto. You need to delete all current integration instances and configure new instances using the new authentication flow. For more information, see the [Microsoft Graph User documenation](https://support.demisto.com/hc/en-us/articles/360022407333).
- __Microsoft Defender Advanced Threat Protection__
- Improved the flow for authenticating Demisto. You need to delete all current integration instances and configure new instances using the new authentication flow. For more information, see the [Microsoft Defender Advanced Threat Protection documenation](https://support.demisto.com/hc/en-us/articles/360011926814).
- Added three new commands:
- ___microsoft-atp-advanced-hunting___: Run advanced queries as you would using the ATP portal.
- ___microsoft-atp-create-alert___: Create a new alert entity using event data, obtained from the Advanced Hunting.
- ___microsoft-atp-get-alert-related-user___: Retrieves the user associated with a specific alert.

---
Scripts

7 New Scripts
- __CheckEmailAuthenticity__
Checks email authenticity based on the email's SPF, DMARC, and DKIM.
- __D2Remove__
Removes the Demisto D2 agent from the system using the ___d2_remove___ command.
- __FindSimilarIncidents__
Identifies similar incidents by common incident keys, labels, custom fields, or context keys.
- __IntezerScanHost__
Scans the Intezer host.
- __Ping__
Pings an IP address or URL to verify that it is active.
- __GenerateSummaryReports__
Generates report summaries for the specified incidents.
- __IntezerRunScanner__
Runs the Intezer Endpoint Analysis Scanner.

---
Playbooks

7 New Playbooks
- __Detonate File - ThreatStream__
Detonates one or more files using the __Anomali ThreatStream v2__ integration. This playbook returns relevant reports to the War Room, and file reputations to the context data.
- __Detonate URL - ThreatStream__
Detonates one or more URLs using the __Anomali ThreatStream v2__ sandbox integration.
Returns relevant reports to the War Room and URL reputations to the context data.
- __Intezer - Analyze Uploaded file__
Uploads a file to Intezer Analyze for analysis and enriches the file reputation.
- __Intezer - Analyze by hash__
Analyzes the given file hash on Intezer Analyze and enriches the file reputation. Supports SHA256, SHA1, and MD5.
- __Intezer - scan host__
Uses Demisto D2 agent to scan a host using Intezer scanner.
- __Send Investigation Summary Reports__
This playbook iterates over closed incidents, then generates a summary report for each closed incident, and emails the reports to specified users.
- __Send Investigation Summary Reports Job__
This playbook calls the sub-playbook, "Send Investigation Summary Reports", and closes the incident. By default, the playbook will search all incidents closed within the last hour. This playbook should run as a scheduled job, at an interval of once every 15 minutes.

2 Improved Playbooks
- __Extract Indicators From File - Generic__
File info data is ignored when checking Word documents.
- __Extract Indicators From File - Generic v2__
File info data is ignored when checking Word documents.

Demisto Content Release Notes for version 19.6.0 (24157)
Published on 11 June 2019
Integrations

6 New Integrations
- __BeyondTrust Password Safe__
Unified password and session management for seamless accountability and control over privileged accounts.
- __CheckPhish__
Check any URL to detect suspicious behavior.
- __GitHub__
Use the GitHub integration to utilize the GitHub API.
- __Ipstack__
One of the leading IP to geolocation APIs and global IP database services.
- __Looker__
Use the Looker integration to query an explore, save queries as looks, run looks, and fetch look results as incidents.
- __Palo Alto Networks PAN-OS EDL Management__
Use the Palo Alto Networks PAN-OS EDL Management integration to manage and edit files located on a remote web server via SSH using integration context as single source of truth.

8 Improved Integrations
- __Fidelis Elevate Network__
Logout errors are now ignored.
- __Palo Alto Networks WildFire v2__
Fixed an issue with evidence data in reports.
- __VMRay__
Improved overall implementation of the integration.
- __AlienVault OTX__
Fixed the ___url___ command to extract the base URL, and return a readable error in case of failure.
- __Attivo Botsink__
- Fixed a duplication issue in the ___fetch-incidents___ command.
- Improved error handling.
- __FortiGate__
Improved the ___fortigate-update-policy___ command, which now retains existing data.
- __LogRhythm__
- Added several new commands.
- ___lr-execute-query___
- ___lr-get-hosts-by-entity___
- ___lr-add-host___
- Added the _LastHour_ option to the __time_frame__ argument.
- __Rasterize__
- By default, the _Return errors_ parameter is set to false.
- Improved error messages.

Deprecated Integration
- __Cymon__
Cymon was discontinued as of April 30, 2019.

---
Scripts

New Script
- __FormattedDateToEpoch__
Converts a custom-formatted timestamp to UNIX epoch time. Use the script to convert custom time stamps to a Demisto date field. The script uses the Python strptime format. For more information, see the [Python documentation](https://docs.python.org/3.7/library/datetime.html#strftime-and-strptime-behavior).


2 Improved Scripts
- __ReadPDFFileV2__
- Added additional fields and field descriptions to the script output.
- Improved several output names, for example, PDF version was changed to PDFVersion.
- __IncidentAddSystem__
Added a new engine argument.

---
Playbooks

New Playbook
- __Extract Indicators From File - Generic v2__
Extracts images and text from PDF files. Images are extracted using the Image OCR integration.

3 Improved Playbooks
- __WildFire - Detonate file__
Added supported for the __WildFire__ and __WildFire-v2__ integrations.
- __Extract Indicators From File - Generic__
Improved identification of Excel files.
- __Detonate File - VMRay__
Added the ___vmray-get-iocs___ and ___vmray-get-threat-indicators___ commands to the playbook.

Demisto Content Release Notes for version 19.5.1 (23606)
Published on 28 May 2019
Integrations

5 New Integrations
- __AlienVault USM Anywhere__
Search and monitor alarms and events from AlienVault USM Anywhere.
- __Forescout__
Unified device visibility and control platform for IT and OT security.
- __PhishLabs IOC__
Get live feeds of IOC data from PhishLabs.
- __Minerva Labs Anti-Evasion Platform__
Minerva eliminates the endpoint security gap while empowering companies to embrace technology fearlessly.
- __LogRhythmRest__
LogRhythm security intelligence.

11 Improved Integrations
- __Image OCR__
Updated argument descriptions.
- __FireEye HX__
Fixed an issue that caused an error when running the ___fireeye-hx-fetch-incidents___ and ___fireeye-hx-get-alert___ commands.
- __FortiGate__
- Fixed an issue with SRC and DST addresses in human readable output.
- Policy creation now supports multiple sources and destinations.
- Fixed an issue with the ___fortigate-update-policy___ command.
- __IntSights__
Added the _severity_level_ parameter, which fetches incidents based on the incident severity level.
- __Mail Sender (New)__
Improved an error message when testing the integration instance.
- __Palo Alto Networks Minemeld__
Added handling for the addition and removal of multiple indicators on miners.
- __Palo Alto Networks PAN-OS__
Added the _log_forwarding_ argument to the ___panorama-create-rule___ and ___panorama-custom-block-rule___ commands. The argument is only available for Panorama instances.
- __Rasterize__
Added the _with_errors_ parameter, which enables the integration to return warnings instead of errors.
- __EWS Mail Sender__
Improved error messages.
- __VMRay__
Deprecated all previous commands, and added new commands.
- __Whois__
Added a package that enables improved parsing of Whois entries.

3 Deprecated Integrations
- __Secdo - Deprecated__
Deprecated, use the Palo Alto Networks Cortex integration instead.
- __Palo Alto Networks Magnifier - Deprecated__
Deprecated, use the Palo Alto Networks Cortex integration instead.
- __Amazon Web Services - Deprecated__
Changed the integration name to reflect deprecated status.


---
Scripts

2 New Scripts
- __PhishLabsPopulateIndicators__
Populate indicators by the PhishLabs IOC global feed.
- __ReadPDFFileV2__
Load the content and metadata of a PDF file into context.

3 Improved Scripts
- __ParseEmailFiles__
Fixed an issue with ParseEmailFiles when there is EML file inside an EML file.
- __FilterByList__
Added ability to ignore case.
- __StixCreator__
- Added support for registry indicators, CVE CVSS vulnerability and doesn't throw exception on total failure.
- Added support for the _stix2-validator_ package.


3 Deprecated Scripts
- __VMRay__
Deprecated, use the __Detonate File - VMRay__ playbook instead.
- __vmray_getResults__
Deprecated, use the __Detonate File - VMRay__ playbook instead.
- __ReadPDFFile__
Deprecated, use the __ReadPDFFileV2__ script instead.

---
Playbooks

4 New Playbooks
- __Detonate File - FireEye AX__
Detonate one or more files using the FireEye AX integration. This playbook returns relevant reports to the War Room and file reputations to the context data.
- __PhishLabs - Populate Indicators__
Populate indicators from PhishLabs, according to a defined period of time.
- __PhishLabs - Whitelist false positives__
This playbook can be used in a job to whitelist indicators from PhishLabs, which were classified as false positives, according to a defined period of time.
- __Detonate File - VMRay__
Detonate a file using the VMRay integration.

Improved Playbook
- __Detonate File - Generic__
Added support for the VMRay and FireEye AX integrations.

Demisto Content Release Notes for version 19.5.0 (22786)
Published on 14 May 2019
Integrations

3 New Integrations
- __Image OCR__
Extracts text from images.
- __Netcraft__
Enables you to open and handle takedown requests.
- __Palo Alto Networks WildFire v2__
Perform malware dynamic analysis.

5 Improved Integrations
- __Carbon Black Enterprise Protection v2__
- Improved argument descriptions.
- Added various arguments that streamline search commands.
- For more information, see the [Carbon Black Enterprise Protection v2 documentation](https://support.demisto.com/hc/en-us/articles/360022492334).
- __Cherwell__
- Enhanced "Test Module" functionality.
- Fixed a syntax error.
- __ServiceNow__
Added _caller_ as an optional field for create a ticket and update a ticket commands.
- __Palo Alto Networks WildFire__
- Added the _md5_ and _sha256_ arguments to ___!file___ command.
- Invalid hashes in the ___!file___ command are regarded as a warning.
- Added the _sha256_ argument and deprecated the _hash_ argument for the ___wildfire-report___ command.
- Added the ___wildfire-get-sample___ command.
- __Rasterize__
Rasterize URL error handling.

---
Scripts

2 New Scripts
- __GDPRContactAuthorities__
Returns the GDPR Data Protection Supervisory Authority Listing. A supervisory authority is an independent public authority which is established by a Member State pursuant to [Article 51. GDPR - Art. 4](https://gdpr-info.eu/art-4-gdpr/).
- __GetDockerImageLatestTag__
Gets the latest tag for a Docker image, by simulating the Docker pull flow, but does not actually pull the image. The script returns an entry with the latest tag of a Docker image if all is good, otherwise it will return an error.

9 Improved Scripts
- __CherwellCreateIncident__
Added tags and the ___dependsOn___ command.
- __CherwellGetIncident__
Added tags and the ___dependsOn___ command.
- __CherwellIncidentOwnTask__
Added tags and the ___dependsOn___ command.
- __CherwellIncidentUnlinkTask__
Added tags and the ___dependsOn___ command.
- __CherwellQueryIncidents__
Added tags and the ___dependsOn___ command.
- __CherwellUpdateIncident__
Added tags and the ___dependsOn___ command.
- __DeleteContext__
Fixed an issue where the script defines the index parameter as undefined when it set to zero.
- __IsEmailAddressInternal__
Added the ability to check for sub-domains.
- __LinkIncidentsWithRetry__
Improved script descriptions.

Deprecated Script
- __SendEmail__
Deprecated. Use the ___send-mail___ command instead.

---
Playbooks

5 New Playbooks
- __GDPR Breach Notification__
This playbook executes when you manually create a GDPR data breach incident, and then performs the required tasks that are detailed in GDPR Article 33. For more information, see the [GDPR Breach Notification documentation](https://support.demisto.com/hc/en-us/articles/360022980613).

***Disclaimer: This playbook does not ensure compliance to the GDPR regulation. Before using this playbook, we advise consulting with the relevant authority, and adjusting it to the organization's needs.
- __Account Enrichment - Generic v2.1__
- Replaced the Active Directory integration with the Active Directory v2 Query integration.
- Removed redundant outputs.
- __Email Address Enrichment - Generic v2.1__
- Enriches email addresses.
- Gets information from Active Directory for internal addresses
- Gets the _domain-squatting_ reputation for external addresses.
- Uses the Active Directory v2 integration.
- __Endpoint Enrichment - Cylance Protect v2__
Enrich endpoints using the Cylance Protect v2 integration.
- __Endpoint Enrichment - Generic v2__
Enriches endpoints using relevant v2 integrations.


4 Improved Playbooks
- __Account Enrichment - Generic__
Added support for the Active Directory Query v2 integration.
- __Entity Enrichment - Generic v2__
The playbook now uses the v2.1 enrichment playbooks, which utilize v2 integrations.
- __Phishing Investigation - Generic v2__
The playbook now uses Entity Enrichment - Phishing v2, as expected.
- __Entity Enrichment - Phishing v2__
The playbook now uses the v2.1 enrichment playbooks, which utilize v2 integrations.
---
Incident Fields
Added a new incident field for GDPR Data Breach incidents.

---
Incident Layouts

1 New Incident Layout
- __GDPR Data Breach__
GDPR Data Breach Incident.

Demisto Content Release Notes for version 19.4.2 (22301)
Published on 30 April 2019
Integrations

10 New Integrations
- __ANY.RUN__
ANY.RUN is a cloud-based sandbox with interactive access.
- __Carbon Black Enterprise Protection V2__
Carbon Black Enterprise Protection is a next-generation endpoint threat prevention solution to deliver a portfolio of protection policies, real-time visibility across environments, and comprehensive compliance rule sets in a single platform.
- __Cherwell__
Cherwell is a cloud-based IT service management solution.
- __Google BigQuery__
Google BigQuery is a data warehouse for querying and analyzing large databases.
- __Microsoft Graph Mail__
Microsoft Graph lets your app get authorized access to a user's Outlook mail data in a personal or organization account.
- __Microsoft Graph User__
Unified gateway to security insights - all from a unified Microsoft Graph User API.
- __OnboardingIntegration__
Creates mock email incidents using one of two randomly selected HTML templates. Textual content is randomly generated and defined to include some text (100 random words) and the following data (at least 5 of each data type): IP addresses, URLs, SHA-1 hashes, SHA-256 hashes, MD5 hashes, email addresses, domain names.
- __Symantec Management Center__
Symantec Management Center provides a unified management environment for the Symantec Security Platform portfolio of products.
- __FortiSIEM__
Search and update FortiSIEM events, and manage resource lists.
- __OPSWAT-Metadefender v2__
OPSWAT-Metadefender is a multi-scanning engine that uses 30+ anti-malware engines to scan files for threats.


17 Improved Integrations
- __urlscan.io__
Added support for the __urlscan-get-http-transactions__ script.
- __ServiceNow__
Added an option to select the timestamp field to filter by when fetching incidents. Enforcement of the fetch incidents limit and last run.
- __CounterTack__
Added two commands.
- ___countertack-search-endpoints___
- ___countertack-search-behaviors___
- __Gmail__
Added two commands.
- ___gmail-list-filters___
- ___gmail-remove-filter commands___
- __Fidelis Elevate Network__
Fixed the _ioc_ filter in the ___fidelis-list-alerts___ command.
- __Atlassian Jira v2__
Improved handling of _IssueTypeName_ and _issueJson_ in the ___jira-create-issue___ command.
- __PagerDuty v2__
Added two commands.
- ___PagerDuty-get-incident-data___
- ___PagerDuty-get-service-keys___
- __Anomali ThreatStream__
Improved handling of partial responses from Anomali ThreatStream.
- __CrowdStrike Falcon Intel__
Fixed how dates are parsed in the ___cs-report___ command.
- __Intezer__
Several improvements to the ___file___ command.
- Added the _sha256_ argument.
- Invalid hashes are now regarded as a warning.
- __Palo Alto Networks Magnifier__
Fixed the integration name and logo.
- __Mail Sender (New)__
Improved error messages.
- __Palo Alto Networks Minemeld__
Fixed the integration display name.
- __Palo Alto Networks PAN-OS__
Added eight commands.
- ___panorama-list-edl___
- ___panorama-get-edl___
- ___panorama-create-edl___
- ___panorama-edit-edl___
- ___panorama-delete-edl___
- ___panorama-refresh-edl___
- ___panorama-register-ip-tag___
- ___panorama-unregister-ip-tag___
- __VirusTotal__
Added the _fullResponseGlobal_ parameter. The parameter determines whether to return all results, which can number in the thousands. If _true_, returns all results and overrides the _fullResponse_ and _long_ arguments (if they are set to "false") in a command. If _false_, the _fullResponse_ and _long_ arguments in the command determines how results are returned.
- __Palo Alto Networks WildFire__
- Improved the __file__ command.
- Added the _md5_ and _sha256_ arguments.
- Invalid hashes are now regarded as a warning.
- Improved the ___wildfire-report___ command.
- Added the _sha256_ argument.
- Deprecated the _hash_ argument.
- Added the __wildfire-get-sample__ command.
- __Zscaler__
Added the ___zscaler-sandbox-report___ command.

Deprecated
- __OPSWAT-Metadefender (Deprecated)__
Deprecated. Use the OPSWAT-Metadefender v2 integration instead.

---
Scripts

11 New Scripts
- __CherwellCreateIncident__
A sample script that creates an incident in Cherwell. The script wraps the __cherwell-create-business-object__ command in the Cherwell integration.
- __CherwellGetIncident__
A sample script that retrieves an incident from Cherwell. The script wraps the __cherwell-get-business-object__ command of the Cherwell integration.
- __CherwellIncidentOwnTask__
A sample script that links an incident to a task in Cherwell. The script wraps the __cherwell-link-business-object__ command of the Cherwell integration.
- __CherwellIncidentUnlinkTask__
A sample script that unlinks a task from an incident in Cherwell. The script wraps the __cherwell-unlink-business-object__ command of the Cherwell integration.
- __CherwellQueryIncidents__
A sample script that queries incidents from Cherwell. The script wraps the __cherwell-query-business-object__ command of the Cherwell integration.
- __CherwellUpdateIncident__
A sample script that updates an incident in Cherwell. The script wraps the __cherwell-update-business-object__ command of the Cherwell integration.
- __DBotPredictPhishingWords__
Predict text label using a pre-trained machine learning phishing model, and get the most important words used in the classification decision.
- __FileToBase64List__
Encode a file as base64 and store it in a Demisto list.
- __DemistoLeaveAllInvestigations__
Removes a user from all investigations of which they are involved in (clears the incidents in the left pane). Incidents that the user owns will remain in the left pane. Requires Demisto REST API integration to be configured for the server.
- __OnboardingCleanup__
Cleans up the incidents and indicators created by the __OnboardingIntegration__.
- __UrlscanGetHttpTransactions__
Provides the functionality to get the HTTP transactions made for a given URL using the UrlScan integration. To properly use this script, use it inside a playbook, and select to run it without a worker. This require less system resources in the polling action. In the playbook task that executes this script, go to the __Advanced__ section and select the __Run without a worker__ checkbox.

12 Improved Scripts
- __CheckDockerImageAvailable__
Improved the script to work with older demisto/python images.
- __ParseEmailFiles__
- Improved email file type detection.
- Fixed an issue when EML files have special characters.
- __ADGetUser__
Enabled script execution with _Active Directory Query_ instances only.
- __CommonServerPython__
Added the _list_ type to raw_response in the ___raw_outputs___ command.
- __ExtractIndicatorsFromWordFile__
The automation executes as expected when the entry is a single object.
- __FetchFromInstance__
Improved script execution.
- __GenericPollingScheduledTask__
Added an option to pass CSV arguments and values to _pollingCommandArgName_.
- __ReadPDFFile__
Added an error when reading image files fails.
- __RunPollingCommand__
Added an option to pass CSV arguments and values to _pollingCommandArgName_.
- __ScheduleGenericPolling__
Added an option to pass CSV arguments and values to _pollingCommandArgName_.
- __UserEnrichAD__
Updated a dependency for the __activedir__ brand.
- __IsIPInRanges__
- Removed the condition tag.
- Improved description and of IP range input.

---
Playbooks

16 New Playbooks
- __Account Enrichment - Generic v2__
- Reduced indicator duplication.
- Improved task names, descriptions, input selectors, and auto-extract settings.
- The new version does not provide reputation.
- __Detonate File - ANYRUN__
Detonates one or more files using the ANY.RUN sandbox integration. Returns relevant reports to the War Room, and file reputations to the context data. All file types are supported.
- __Detonate File From URL - ANYRUN__
Detonates one or more remote files using the ANY.RUN sandbox integration. Returns relevant reports to the War Room, and file reputations to the context data. This type of analysis works only for direct download links.
- __Detonate URL - ANYRUN__
Detonates one or more URLs using the ANY.RUN sandbox integration. Returns relevant reports to the War Room, and URL reputations to the context data.
- __Domain Enrichment - Generic v2__
- Reduced indicator duplication.
- Improved task names, descriptions, and auto-extract settings.
- The new version does not provide reputation.
- __Email Address Enrichment - Generic v2__
- Reduced indicator duplication.
- Improved playbook performance and execution.
- The new version does not provide reputation.
- __Endpoint Enrichment - Generic v2__
- Reduced indicator duplication.
- Improved task names and descriptions, and auto-extract settings.
- Improved playbook performance and execution, and DT selector implementation.
- Removed a deprecated SentinelOne integration.
- __Entity Enrichment - Generic v2__
Improved playbook and sub-playbook performance and execution.
- __Entity Enrichment - Phishing v2__
Customized for generic phishing investigations to avoid enrichment of irrelevant entities.
- __File Enrichment - Generic v2__
- Reduced indicator duplication.
- Removed redundant sub-playbooks.
- Simplified playbook structure and conditions.
- The new version does not provide reputation.
- __IP Enrichment - Generic v2__
- Added two separate sub-playbooks; one for internal IPs and one for external IPs.
- The new version does not provide reputation.
- __IP Enrichment - External - Generic v2__
- Added a new generic playbook for external IP enrichment
- The new playbook does not provide reputation.
- __IP Enrichment - Internal - Generic v2__
- Added a new generic playbook for internal IP enrichment
- The new playbook does not provide reputation.
- __PhishingDemo-Onboarding__
This playbook is part of the on-boarding experience, and focuses on phishing scenarios. To use this playbook, you'll need to enable the __on-boarding__ integration and configure incidents of type _Phishing_. For more information, refer to the on-boarding walkthroughs in the help section.
- __Phishing Investigation - Generic v2__
Improved entity enrichment to avoid enrichment of irrelevant entities.
- __URL Enrichment - Generic v2__
- Reduced indicator duplication.
- Removed reputation commands.
- Simplified playbook structure and implementation.
- The new version does not provide reputation.

5 Improved Playbooks
- __Detonate File - Generic__
Added the __ANYRUN File Detonation__ playbook.
- __Detonate URL - Generic__
Added the __ANYRUN URL Detonation__ playbook.
- __Email Address Enrichment - Generic__
Adjusted version.
- __GenericPolling__
Added support for CSV arguments and values for _PollingCommandArgName_.
- __Process Email - Generic__
_SetIncident_ now retrieves data from the correct context fields.

---
Incident Layouts

Improved Incident Layout
- __Phishing - Summary__
Updated phishing incident type layout.

---
Classification & Mapping

New Classification & Mapping
- __OnboardingIntegration__
Mapping to phishing incidents.