Demisto-py

Demisto Content Release Notes for version 19.4.1 (21467)
Published on 16 April 2019
Integrations

3 New Integrations
- __Atlassian Jira (v2)__
Use the Jira integration to manage issues and create Demisto incidents from the projects.
- __Palo Alto Networks Cortex__
The Cortex framework manages all Palo Alto Networks cloud-based products.
- __Google Cloud Compute__
Google Compute Engine delivers virtual machines running in Google's innovative data centers and worldwide fiber network. Compute Engine's tooling and workflow support enable scaling from single instances to global, load-balanced cloud computing.

12 Improved Integrations
- __AD Query v2__
Fixed an issue when configuring the port parameter.
- __CrowdStrike Falcon__
Improved wording and descriptions for the _platform_name_ argument in the ___cs-falcon-search-device___ command.
- __Fidelis Elevate Network__
Improved the fetch incidents function.
- __Snowflake__
Updated documentation and setting descriptions.
- __CrowdStrike Falcon Sandbox__
Deprecated the _crowdstrike-detonate-file_ command and the _crowdstrike-detonate-url_ command. Use the Crowdstrike Falcon Sandbox - Detonate playbooks instead.
- __McAfee ESM-v10__
Improved the fetch incidents function.
- __HashiCorp Vault__
Fixed fetching credentials.
- __Phish.AI__
Replaced the _url_ argument with the _scan_id_ argument in the ___phish-ai-check-status___ command. You must replace the _url_ argument with the _scan_id_ argument in automations and playbooks. Backward compatibility is not supported. Added outputs that enable the Detonate URL playbook to initiate as expected.
- __Tanium__
- Fixed an issue with testing the integration.
- Added log messages.
- __VirusTotal - Private API__
- Added a mechanism that supports multiple URLs, for the ___vt-private-get-url-report__ command.
- Fixed an issue with the API.
- Added context to ___vt-private-get-domain-report__, ___vt-private-get-file-report__, and ___vt-private-get-url-report___ commands.
- Fixed the DBot score in the ___ip-report___ command.
- Added a mechanism that determines if a file or URL are malicious, based on trusted vendors.
- __VirusTotal__
Added a mechanism that determines whether a file or URL are malicious, based on trusted vendors.
- __Palo Alto Networks WildFire__
Improved handling of context for the ___wildfire-report___ command in cases that hashes contain network data.


Deprecated Integration
- __Atlassian Jira__
Use the Atlassian Jira v2 integration instead.

---
Scripts

New Script
- __WordTokenizerNLP__
Tokenize the words of input text.

7 Improved Scripts
- __ParseEmailFiles__
Improved how email file types are detected.
- __CommonServerPython__
- Added logger support for Python3.
- Common code that will be merged into each server script, when it runs.
- __DemistoUploadFile__
- Added a body argument.
- Improved the script description.
- __DemistoUploadFileToIncident__
- Added a body argument.
- Improved the script description.
- __ExtractDomainFromUrlAndEmail__
Executes the _UnEscapeURLs_ script before extracting the domain.
- __UnEscapeIPs__
The script input now supports arrays.
- __UnEscapeURLs__
The script input now supports arrays.

---
Playbooks

6 Improved Playbooks
- __Detonate File - JoeSecurity__
Added missing outputs.
- __ATD - Detonate File__
Added missing outputs.
- __Detonate URL - JoeSecurity__
Added missing outputs.
- __Detonate URL - McAfee ATD__
Added missing outputs.
- __Detonate URL - Phish.AI__
- Improved playbook implementation.
- Added outputs.
- __Process Email - Generic__
Fixed how indicators are extracted.

Demisto Content Release Notes for version 19.4.0 (20832)
Published on 02 April 2019
Integrations

6 New Integrations
- __CrowdStrike Falcon__
The CrowdStrike Falcon OAuth 2 API integration (formerly Falcon Firehose API), enables fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment.
- __ExtraHop__
ExtraHop performs real-time stream analysis of the packets that carry data across a network.
- __Signal Sciences WAF__
Protect your web application using Signal Sciences.
- __Snowflake__
Analytic data warehouse provided as Software-as-a-Service.
- __Tufin__
Retrieve and analyze network access controls across Tufin-managed firewalls, SDN, and public cloud to identify vulnerable access paths of an attack.
- __Vertica__
Analytic database management software.

23 Improved Integrations
- __Active Directory Query v2__
- Added the _context-output_ argument to the ___ad-search___ command. If the argument is set to _no_, the command will not output results.
- Improved functionality of the _size-limit_ argument in the ___ad-search___ command.
- __ArcSight ESM v2__
Added an integration instance parameter that limits the number of incidents that are fetched each time.
- __Azure Compute__
Fixed an issue with the ___azure-vm-create-instance___ command.
- __Palo Alto AutoFocus__
- Fixed an issue with entry tables.
- Improved handling of HTTP errors.
- __Centreon__
Fixed proxy logic.
- __Cisco Umbrella Investigate__
Added a threshold parameter to the integration instance configuration, which can override the default malicious score.
- __CrowdStrike Falcon Sandbox__
Improved how URLs are submitted to CrowdStrike.
- __Cyber Triage__
Added support for Cyber Triage 2.6.
- __DUO Admin__
Renamed the _1_minutes_ago_ argument to _1_minute_ago_.
- __McAfee ESM-v10__
- Improved how incidents are fetched.
- Added support for ESM timezone.
- The ___esm-get-cases-list___ command now supports filtering by time range.
- Added the time format parameter.
- __Endgame__
Improved descriptions for the _endgame-deploy_ argument.
- __HashiCorp Vault__
- Improved integration test error messages.
- Fixed several issues with fetching credentials.
- The ___list-secrets___ command now supports KV1 engines.
- __LogRhythm__
Added several outputs and updated context.
- __Mail Sender (New)__
- Improved error handling and messaging.
- Added the FQDN parameter to the integration instance configuration.
- __McAfee Advanced Threat Defense__
Improved error messages for incorrect username, incorrect password, and incorrect header.
- __Palo Alto Minemeld__
- Added validation of deleting indictors from miners of type localDB.
- Added default values to the threat intel commands.
- __Palo Alto Networks Cortex__
Implemented OAuth2 authentication.
- __Palo Alto Firewall and Panorama__
- Added the ___panorama-get-pcap___ and ___panorama-list-pcaps___ commands.
- Improved error messages, handling of invalid inputs, catch move-rule errors and display them as message.
- __Server Message Block (SMB)__
- Added the ___smb-upload___ command.
- Added option to print out the contents of a file instead of downloading it.
- __urlscan.io__
- Add RediredctedURLs and EffectiveURL data from the ___!url___ command to context.
- Added the threshold parameter to the integration instance configuration.
- __VirusTotal - Private API__
- The ___vt-private-get-url-report___ command now supports multiple URLs.
- Fixed an issue with the API.
- Added context for the ___get-url___, ___file___, and ___domain-report___ commands.
- Fixed DBot score in the ___ip-report___ command.
- Added the __Preferred Vendors List__ and __Preferred Vendors Threshold__ parameters, which help determine if files and URLs are malicious.
- __Zscaler__
Fixed an issue with the rate limit error. Now several requests in short interval will produce a retry in case of failure.

---
Scripts

New Script
- __FindSimilarIncidents__
Find similar incidents by common incident keys, labels, custom fields, or context keys.
We recommend using incident keys if possible, for example: "type" for the same incident type.
For performance reasons, we recommend avoid using context keys if possible, for example, if the value also appears in the label key, use "label".

7 Improved Scripts
- __CheckDockerImageAvailable__
Checks if a Docker image is accessible for ___pull___ commands.
- __CommonServerPython__
Added proxy handling method.
- __FilterByList__
Updated the context when the list is empty.
- __IsMaliciousIndicatorFound__
Fix to only depend on DBotScore.Score.
- __ReadFile__
Fixing unicode parsing error.
- __ReadPDFFile__
Improved the error message when the script fails on reading encrypted files.
- __StixParser__
Added support for STIX2.0.

---
Playbooks

2 Improved Playbooks
- __Extract Indicators From File - Generic__
Improved the _Is there a PDF file task_, which checks if _file.type_ and _file.info_ contains pdf.
- __Process Email - Generic__
Improved detection of attachments that are emails.

---
Reports

12 Improved Reports
- __Critical and High incidents__
Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field.
- __Daily incidents__
Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field.
- __Critical and High incidents__
Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field.
- __Daily incidents__
Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field.
- __Investigation Summary__
Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field.
- __Open Incidents__
Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field.
- __Investigation Summary__
Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field.
- __Last 24 hours incidents__
Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field.
- __Last 30 days incidents__
Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field.
- __Last 7 days incidents__
Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field.
- __Open Incidents__
Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field.
- __Unknown severity incidents__
Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field.

---
Widgets

Improved Widget
- __Mentions__
Only unread messages are now displayed.

---
Incident Layouts

4 Improved Incident Layouts
- __Access - Summary__
Applied incident source fields.
- __Malware - Summary__
Applied incident source fields.
- __Phishing - Summary__
Removed 'Email Body HTML' from default Phishing incident type summary layout.
- __Vulnerability - Summary__
Applied incident source fields.

:heart: **Demisto Dating for Security Analysts** :heart:
From alert fights to swiping right, Demisto has your back! Send an email to [datingdemisto.com](mailto:datingdemisto.com), answer a few simple questions, and our **ML (Machine Loving™)** algorithm will find your perfect match. Since you're already saving time with Demisto, why not funnel that saved time in the pursuit of love? :heart:

Demisto Content Release Notes for version 19.3.1 (19965)
Published on 19 March 2019
Integrations

New Integrations
- __DUO Admin__
Manage administrative functionality of DUO Security's two-factor authentication platform.

11 Improved Integrations
- __Active Directory Query v2__
- Added the _context-output_ argument to the ___ad-search___ command. If the argument is set to _no_, the command will not output results.
- Improved functionality of the _size-limit_ argument in the ___ad-search___ command.
- __ArcSight ESM v2__
- Added the _newparameter_ parameter, which defines the maximum number of unique case IDs to fetch.
- Improved representation of ArcSight fields in the context.
- For the ___as-get-case-event-ids___ command, added a flag that gets correlated events .
- __Cybereason__
Added the _machinename_ argument to the ___cybereason-malop-processes___ command.
- __Gmail__
Improved fetched incidents functionality.
- __Luminate__
Added severity to fetched incidents.
- __Phish.AI__
Added the ___phish-ai-dispute-url___ command.
- __ProtectWise__
Fixed a context output issue, which caused inaccessible items to be available in context.
- __Symantec Advanced Threat Protection__
Fixed output for the ___satp-files___ command in cases when the file was not previously seen in ATP.
- __Whois__
The integration is now disabled by default.
- __Palo Alto Networks WildFire__
Improved error handling for the ___wildfire-report___ command.
- __Zscaler__
Added the __Use system proxy settings__ checkbox to the integration configuration. By default, the checkbox is selected. If you do not want to use system proxy settings, make sure you clear this checkbox.

---
Scripts

New Script
- __CheckDockerImageAvailable__
Checks if a Docker image is available for performing Docker pull. The script simulates the Docker pull flow, but doesn't actually pull the image.

6 Improved Scripts
- __ParseEmailFiles__
- EML files nested within EML files, and MSG files nested within MSG files are now extracted and parsed.
- Use the _HeadersMap_ (key-value structure) for output instead of _Headers_.
- Added the _parse_only_headers_ argument (set to true) to parse only headers.
- __ExtractDomainFromUrlAndEmail__
Fixed domain extraction functionality when working with subdomains in an email.
- __ExtractIndicatorsFromWordFile__
- Fixed an encoding issue.
- Added support for encoding to UTF-8 when displaying the data.
- __FindSimilarIncidents__
Future incidents are now ignored.
- __ParseCSV__
Added support for non-UTF-8 codec.
- __RegPathReputationBasicLists__
Fixed score output.

Deprecated Script
- __ParseEmailHeaders__
Use the __ParseEmailFiles__ script instead. You need to specify _parse_only_headers=true_.

---
Playbooks

2 Improved Playbooks
- __Detonate File - HybridAnalysis__
The playbook now checks for an active integration instance enabled.
- __Process Email - Generic__
Improved detection of EML and MSG files as attachments.

---
Widgets

8 New Widgets
- __Active Incidents Assigned by User__
- __Active Incidents by Role__
- __Active Incidents - Line chart__
- __Active Incidents - Pie chart__
- __Closed Incidents by Role__
- __Unassigned Active Incidents__
- __Unassigned Closed Incidents__
- __Unassigned Pending Incidents__

8 Improved Widgets
- __Average Incident Duration by Role (Avg)__
Improved the query and updated the widget name.
- __Incidents By Close Reason__
Improved the query and updated the widget name.
- __Incidents Occurred Per Day__
Improved the query and updated the widget name.
- __Incidents by Role__
Improved the query and updated the widget name.
- __Incidents Top Close Analysts__
Improved the query and updated the widget name.
- __MTTR by Type__
Improved the query and updated the widget name.
- __MTTR Occurred by Type__
Improved the query and updated the widget name.
- __Top Active Playbooks__
Improved the query and updated the widget name.

4 Removed Widgets
- __ActiveIncidentByType__
- __ActiveIncidentsBySeverity__
- __IncidentsAssignedByUser__
- __Mttr__

Demisto Content Release Notes for version 19.3.0 (19237)
Published on 05 March 2019
Integrations

6 New Integrations
- __Active Directory Query v2__
Active Directory Query integration enables you to access and manage Active Directory objects (users, contacts, and computers).
- __Azure Compute__
Create and manage Azure Virtual Machines.
- __Azure Security Center__
Unified security management and advanced threat protection across hybrid
cloud workloads.
- __ArcSight ESM v2__
ArcSight ESM SIEM by Micro Focus (formerly HPE Software).
- __Thinkst Canary__
By presenting itself as an apparently benign and legitimate service, the Canary draws the attention of unwanted activity. When someone trips one of the Canary's triggers, an alert is sent to notify the responsible parties so that action can be taken before valuable systems in your network are compromised.
- __Exchange 2016 Compliance Search__
Exchange Server 2016 Compliance Search enables you to search for and delete an email message from all mailboxes in your organization.

32 Improved Integrations
- __Anomali ThreatStream__
Added Push Indicators functionality.
- __RSA Archer__
Added the ___archer-reset-cache___ command, which resets the integration cache.
- __Check Point Firewall__
Improved entries and outputs.
- __CounterTack__
Updated output descriptions.
- __CVE Search__
The integration is now disabled by default.
- __Gmail__
Fixed the _from_ argument in the ___gmail-add-filter___ command.
- __Hybrid Analysis__
The integration is now disabled by default.
- __ipinfo__
The integration is now disabled by default.
- __LogRhythm__
You can now add the server URL as an integration instance parameter.
- __MISP V2__
Improved handling of warning messages from PyMISP.
- __McAfee Active Response__
Added several new commands.
- __Mimecast__
Fixed potential bug in mimecast-list-managed-url.
- __okta__
Implemented aesthetic improvements.
- __OpenPhish__
The integration is now disabled by default.
- __Palo Alto Minemeld__
Improved error handling.
- __PhishTank__
The integration is now disabled by default.
- __RSA NetWitness v11.1__
Fixed an issue with the ___netwitness-update-incident___ command in which the _assignee_ argument was ignored.
- __RTIR__
Fixed a certification verification error.
- __Check Point Sandblast Cloud Services__
Fixed test button, so that it will fail if the user is out of quota.
- __ServiceNow__
- Custom fields work as expected.
- Improved indication of errors when fetching incidents.
- Improved handling of the __No Record Found__ error.
- __SplunkPy__
Fixed an issue with the command splunk-search, when the result contained unicode values.
- __Symantec Endpoint Protection V2__
Added _lastScanTime_ to output in the ___sep-endpoints-info___.
- __Symantec Advanced Threat Protection__
Fixed output for the ___satp-files___ command in cases when ATP has not seen the file.
- __Threat Crowd__
The integration is now disabled by default.
- __Cisco Threat Grid__
The ___threat-grid-upload-sample___ now works as expected with file names that contain new line characters.
- __urlscan.io__
The integration is now disabled by default.
- __urlscan.io__
Added the _wait_ and _retries_ rate limit arguments to the ___url___ command.
- __VirusTotal__
Improved error handling and parameters checks.
- __Whois__
The integration is now disabled by default.
- __IBM X-Force Exchange__
401 error handling.
- __dnstwist__
Added an option to specify the _whois_ argument for the ___dnstwist-domain-variations___ command.
- __FireEye (AX Series)__
Fixed a client token parameter issue.

Deprecated Integration
- __ArcSight ESM__
Use the __ArcSight ESM v2__ integration instead.

---
Scripts

3 Improved Scripts
- __FindSimilarIncidents__
Fixed escaping of special characters.
- __FindSimilarIncidentsByText__
Improved algorithm with short texts.
- __ShowScheduledEntries__
The script does not return tasks that have completed schedules.

8 Deprecated Scripts
- __ADGetComputer__
Use the ___ad-get-computer___ command instead.
- __ADGetGroupMembers__
Use the ___ad-get-group-members___ command instead.
- __ExtractDomain__
Use the ___extractIndicators___ command instead.
- __ExtractEmail__
Use the ___extractIndicators___ command instead.
- __ExtractHash__
Use the ___extractIndicators___ command instead.
- __ExtractIP__
Use the ___extractIndicators___ command instead.
- __ExtractURL__
Use the ___extractIndicators___ command instead.
- __InviteUser__
Use the ___DemistoSendInvite___ script instead.

---
Playbooks

New Playbook
- __Exchange 2016 Search and Delete__
Run a compliance search in Exchange Server 2016 and delete the results.

5 Improved Playbooks
- __ArcsSight - Get events related to the Case__
The playbook now supports ArcSight ESM v2.
- __Malware Investigation - Generic - Setup__
Updated the tests comment.
- __SentinelOne - Endpoint data collection__
Added a task that checks if SentinelOne is enabled.
- __DeDup incidents__
The condition that checks if there is a context key is now set to _true_.
- __Detonate File - ThreatGrid__
- Fixed handling of file types.
- The playbook only detonates files larger than 0 KB.

7 Deprecated Playbooks
- __Account Enrichment__
Use the ___Account Enrichment - Generic___ playbook instead.
- __Detonate files__
Use the ___Detonate File - Generic___ playbook instead.
- __Enrichment Playbook__
Use the ___Entity Enrichment - Generic___ playbook instead.
- __Extract Indicators - Generic__
Use the ___extractIndicators___ command instead.
- __Incident Enrichment__
Use the ___Default___ playbook instead.
- __Phishing Playbook - Automated__
Use the ___Phishing investigation - Generic___ playbook instead.
- __Process Email__
Use the ___Process Email - Generic___ playbook instead.

Demisto Content Release Notes for version 19.2.3 (18845)
Published on 22 February 2019
Integrations

5 New Integrations
- __CounterTack__
CounterTack empowers endpoint security teams to assure endpoint protection
for identifying cyber threats.
- __EclecticIQ Platform__
A threat intelligence platform that connects and interprets intelligence data from open sources, commercial suppliers, and industry partnerships.
- __Fidelis Elevate Network__
Automate detection and response to network threats and data leakage in your organization.
- __Symantec Endpoint Protection V2__
Query the Symantec Endpoint Protection Manager using the official REST API.
- __WhatsMyBrowser__
Parse user agents and determine if they are malicious as well as enrich information about the agent.

12 Improved Integrations
- __Anomali ThreatStream__
Fixed an issue with the DBot score.
- __RSA Archer__
Added the ___archer-get-valuelist___ command, which gets a field's value-list.
- __EWS v2__
Added the option to search by _message-id_ when running the ___ews-search-mailbox___ command.
- __IntSights__
- Added the _Sub account ID_ parameter (for MSSP accounts) to the instance configuration.
- Added the ___intsights-mssp-get-sub-accounts___ command.
- __MISP V2__
- Added the ___misp-add-sighting___ command.
- Added test connection functionality.
- __McAfee Advanced Threat Defense__
Fixed URL parsing.
- __McAfee Threat Intelligence Exchange__
Indicators with a DBot reputation score of less than 30 are now set to __bad__.
- __Microsoft Graph__
Improved partial content handling.
- __PhishMe Intelligence__
- Reimplemented the way DBot score is calculated.
- Added 4 threshold parameters to the instance configuration.
- Added new output paths.
- __urlscan.io__
Fixed an issue where the insecure setting was ignored during polling.
- __Palo Alto WildFire__
Improved command outputs.
- __Windows Defender Advanced Threat Protection__
Added support for OAUTH2 authentication.

Deprecated Integration
- __Symantec Endpoint Protection 14 (Deprecated)__
Use Symantec Endpoint Protection V2 instead.

---
Scripts

New Script
- __PcapHTTPExtractor__
Parses and extracts HTTP flows (requests/responses) from a pcap/pcapng file.

7 Improved Scripts
- __CommonServerPython__
Added the _return_outputs()_ function, which wraps the _demisto.results()_ function.
- __CopyFileD2__
Added overwrite support.
- __D2Drop__
Added overwrite support.
- __FilterByList__
The _FilterByList_ script now supports regex items.
- __ReadPDFFile__
Improved script outputs.
- __RegPathReputationBasicLists__
- Fixed the score given to a RegistryPath.
- Added outputs.
- __UnEscapeURLs__
Added handling of Microsoft ATP protected URLs.

Deprecated Script
- __SEPScan__
Use the ___sep-scan-endpoint___ command instead.

---
Reputations
- Added reputation value and context paths for IPs, escaped IPs, domains, MD5s, SHA-1s, URLs, and escaped URLs.
- Removed unnecessary scripts.
---
Breaking Changes
__ArcSight ESM__
Several issues were discovered with the ArcSight ESM integration in Content Release v 19.2.1 and v19.2.2. This integration was reverted to the previous version.