Demisto-py

Demisto Content Release Notes for version 19.2.2 (18802)
Published on 21 February 2019
Integrations

5 New Integrations
- __CounterTack__
CounterTack empowers endpoint security teams to assure endpoint protection
for identifying cyber threats.
- __EclecticIQ Platform__
A threat intelligence platform that connects and interprets intelligence data from open sources, commercial suppliers, and industry partnerships.
- __Fidelis Elevate Network__
Automate detection and response to network threats and data leakage in your organization.
- __Symantec Endpoint Protection V2__
Query the Symantec Endpoint Protection Manager using the official REST API.
- __WhatsMyBrowser__
Parse user agents and determine if they are malicious as well as enrich information about the agent.

13 Improved Integrations
- __Anomali ThreatStream__
Fixed an issue with the DBot score.
- __ArcSight ESM__
- Fixed an issue in which fetch incidents creates duplicate incidents.
- You can now update the _severity_ field when running the ___as-update-case___ command.
- Updated all time outputs to be date field, in Date format, not Epoch.
- __RSA Archer__
Added the ___archer-get-valuelist___ command, which gets a field's value-list.
- __EWS v2__
Added the option to search by _message-id_ when running the ___ews-search-mailbox___ command.
- __IntSights__
- Added the _Sub account ID_ parameter (for MSSP accounts) to the instance configuration.
- Added the ___intsights-mssp-get-sub-accounts___ command.
- __MISP V2__
- Added the ___misp-add-sighting___ command.
- Added test connection functionality.
- __McAfee Advanced Threat Defense__
Fixed URL parsing.
- __McAfee Threat Intelligence Exchange__
Indicators with a DBot reputation score of less than 30 are now set to __bad__.
- __Microsoft Graph__
Improved partial content handling.
- __PhishMe Intelligence__
- Reimplemented the way DBot score is calculated.
- Added 4 threshold parameters to the instance configuration.
- Added new output paths.
- __urlscan.io__
Fixed an issue where the insecure setting was ignored during polling.
- __Palo Alto WildFire__
Improved command outputs.
- __Windows Defender Advanced Threat Protection__
Added support for OAUTH2 authentication.

Deprecated Integration
- __Symantec Endpoint Protection 14 (Deprecated)__
Use Symantec Endpoint Protection V2 instead.

---
Scripts

New Script
- __PcapHTTPExtractor__
Parses and extracts HTTP flows (requests/responses) from a pcap/pcapng file.

7 Improved Scripts
- __CommonServerPython__
Added the _return_outputs()_ function, which wraps the _demisto.results()_ function.
- __CopyFileD2__
Added overwrite support.
- __D2Drop__
Added overwrite support.
- __FilterByList__
The _FilterByList_ script now supports regex items.
- __ReadPDFFile__
Improved script outputs.
- __RegPathReputationBasicLists__
- Fixed the score given to a RegistryPath.
- Added outputs.
- __UnEscapeURLs__
Added handling of Microsoft ATP protected URLs.

Deprecated Script
- __SEPScan__
Use the ___sep-scan-endpoint___ command instead.

---
Reputations
- Added reputation value and context paths for IPs, escaped IPs, domains, MD5s, SHA-1s, URLs, and escaped URLs.
- Removed unnecessary scripts.
---
Breaking Changes
__ArcSight ESM instance configuration settings deleted__
If you installed Content Release v19.2.1 (18725), certain ArcSight ESM instance parameters might have been deleted in the instances configured before installing this content version.

Demisto Content Release Notes for version 19.2.1 (18725)
Published on 19 February 2019
Integrations

5 New Integrations
- __CounterTack__
CounterTack empowers endpoint security teams to assure endpoint protection
for identifying cyber threats.
- __EclecticIQ Platform__
A threat intelligence platform that connects and interprets intelligence data from open sources, commercial suppliers, and industry partnerships.
- __Fidelis Elevate Network__
Automate detection and response to network threats and data leakage in your organization.
- __Symantec Endpoint Protection V2__
Query the Symantec Endpoint Protection Manager using the official REST API.
- __WhatsMyBrowser__
Parse user agents and determine if they are malicious as well as enrich information about the agent.

13 Improved Integrations
- __Anomali ThreatStream__
Fixed an issue with the DBot score.
- __ArcSight ESM__
- Fixed an issue in which fetch incidents creates duplicate incidents.
- You can now update the _severity_ field when running the ___as-update-case___ command.
- Updated all time outputs to be date field, in Date format, not Epoch.
- __RSA Archer__
Added the ___archer-get-valuelist___ command, which gets a field's value-list.
- __EWS v2__
Added the option to search by _message-id_ when running the ___ews-search-mailbox___ command.
- __IntSights__
- Added the _Sub account ID_ parameter (for MSSP accounts) to the instance configuration.
- Added the ___intsights-mssp-get-sub-accounts___ command.
- __MISP V2__
- Added the ___misp-add-sighting___ command.
- Added test connection functionality.
- __McAfee Advanced Threat Defense__
Fixed URL parsing.
- __McAfee Threat Intelligence Exchange__
Indicators with a DBot reputation score of less than 30 are now set to __bad__.
- __Microsoft Graph__
Improved partial content handling.
- __PhishMe Intelligence__
- Reimplemented the way DBot score is calculated.
- Added 4 threshold parameters to the instance configuration.
- Added new output paths.
- __urlscan.io__
Fixed an issue where the insecure setting was ignored during polling.
- __Palo Alto WildFire__
Improved command outputs.
- __Windows Defender Advanced Threat Protection__
Added support for OAUTH2 authentication.

Deprecated Integration
- __Symantec Endpoint Protection 14 (Deprecated)__
Use Symantec Endpoint Protection V2 instead.

---
Scripts

New Script
- __PcapHTTPExtractor__
Parses and extracts HTTP flows (requests/responses) from a pcap/pcapng file.

7 Improved Scripts
- __CommonServerPython__
Added the _return_outputs()_ function, which wraps the _demisto.results()_ function.
- __CopyFileD2__
Added overwrite support.
- __D2Drop__
Added overwrite support.
- __FilterByList__
The _FilterByList_ script now supports regex items.
- __ReadPDFFile__
Improved script outputs.
- __RegPathReputationBasicLists__
- Fixed the score given to a RegistryPath.
- Added outputs.
- __UnEscapeURLs__
Added handling of Microsoft ATP protected URLs.

Deprecated Script
- __SEPScan__
Use the ___sep-scan-endpoint___ command instead.

---
Reputations
- Added reputation value and context paths for IPs, escaped IPs, domains, MD5s, SHA-1s, URLs, and escaped URLs.
- Removed unnecessary scripts.

Demisto Content Release Notes for version 19.2.0 (18017)
Published on 05 February 2019
Integrations

2 New Integrations
- __Freshdesk__
Manage tickets, agents, and contacts.
- __Kafka V2__
The Open source distributed streaming platform.

17 Improved Integrations
- __AbuseIPDB__
The 'Unverified HTTPS request is being made' warning is ignored when the __Trust any certificate__ checkbox is selected.
- __ArcSight ESM__
Improved proxy usage in the ___as-get-security-events___ command.
- __RSA Archer__
Added a caching mechanism that improves command execution performance.
- __Cisco Umbrella Investigate__
DBotScore now displays even when there is no rank.
- __CrowdStrike Falcon Sandbox__
Improved error handling of the ___crowdstrike-submit-sample___ command.
- __CrowdStrike Falcon Intel__
Added the _threshold_ parameter to identify and label malicious indicators.
- __Cylance Protect v2__
Improved error handling for the ___cylance-protect-get-device___ command when no device is found.
- __EWS v2__
- Added the ___ews-expand-group___.
- Fixed an issue with 2010-2016 mixed environments.
- __Gmail__
Fixed an issue with the ___gmail-revoke-user-role___ command.
- __Joe Security__
Added support in the ___joe-analysis-submit-sample___ command for EML files when there are no files attachments to analyze.
- __McAfee Advanced Threat Defense__
The _url_ argument in the ___atd-upload-file__ command does not require a protocol prefix.
- __Palo Alto Firewall and Panorama__
- Improved error messages.
- Added support for Service and Service groups objects.
- __PhishMe Intelligence__
Improved argument and command descriptions.
- __Recorded Future__
Added: Commands for retrieving threats by a specified order; Retrieving risk lists as csv files (with additional scripts to create indicators using them); Retrieving and fetching alerts.
- __Check Point Sandblast Cloud Services__
Made improvements to Context and DBot score.
- __ServiceNow__
- Fixed severity mapping.
- Improved parameter descriptions.
- Fixed human readable headers.
- Added the _Opened At_ argument to ticket creation.
- Added a command to get ticket notes using ___sys_journal_field___ table.
- __SplunkPy__
Improved human readable output for the ___splunk-search___ command.

---
Scripts

3 New Scripts
- __HighlightWords__
Highlight words inside a given text.
- __SendEmailOnSLABreach__
Sends an email informing the user assigned to an incident of an SLA breach.
- __Cut__
Cut a string by delimiter and return specific fields.

3 Improved Scripts
- __CommonServerPython__
Added the _is_error_ and _get_error_ helper functions to remove errors from ___demisto.executeCommand()___ result.
- __UnEscapeURLs__
Added support for ProofPoint encrypted URLs.
- __ParseEmailFiles__
Improved implementation and fixed several issues.

2 Deprecated Scripts
- __SplunkPySearch__
Use the ___splunk-search___ command instead.
- __StringContains__
Use the _StringContainsArray_ filter instead.


---
Playbooks

1 Improved Playbook
- __PanoramaCommitConfiguration__
Filters JobIDs and executes the GenericPolling task only for those JobIDs.

---
Reputations
Added reputation value and context path for SHA256. Auto-Extract should now work properly for SHA256.

Demisto Content Release Notes for version 19.1.2 (17432)
Published on 22 January 2019
Integrations

4 New Integrations
- __Alexa Rank Indicator__
Alexa provides website ranking information that can be useful in determining if the domain in question has a strong web presence.
- __MaxMind GeoIP2__
Enriches IP addresses.
- __ThreatMiner__
Discover additional information on IOCs.
- __Google Resource Manager__
Google Cloud Platform Resource Manager

20 Improved Integrations
- __AWS - CloudTrail__
Fixed a bug in ___aws-cloudtrail-lookup-events___ command.
- __AWS - CloudWatchLogs__
Improved argument implementation for the ___region___ command.
- __AWS - S3__
Fixed a bug in the ___aws-s3-upload-file___ command.
- __Carbon Black Enterprise Live Response__
Improved outputs for the ___cb-directory-listing___ command.
- __Cybereason__
- Enhanced outputs for the ___cybereason-query-malops___ command.
- Improved implementation of the command ___cybereason-isolate-machine___ to match all Cybereason versions.
- __Cylance Protect__
Enhanced outputs for the ___cp-download-threat___ and ___cylance-protect-download-threat___ commands.
- __EWS v2__
Improved EWS instance configuration.
- __Gmail__
Improved text conversion for HTML only emails.
- __Hybrid Analysis__
Added the ___hybrid-analysis-get-report-status___ command.
- __Microsoft Graph__
Implemented OAUTH2 authentication, please see integration documentation for further details.
- __Palo Alto Firewall and Panorama__
- Improved error handling for port configuration.
- improved implementation of the ___panorama-custom-block___ command.
- Fixed generic rulename given to Security Rules when not supplying a rule name, for several commands.
- __RSA NetWitness v11.1__
Fixed a bug in the ___netwitness-update-incident___ command.
- __Shodan__
Added the _page_ argument to the ___search___ command.
- __SplunkPy__
- Added the ___unsecure___ parameter.
- Fixed a bug in the command ___splunk-notable-event-edit___.
- __ThreatConnect__
For the ___tc-update-indicator___ command, we added support for the following arguments:
- ___falsePositive___
- ___observations___
- ___securityLabel___
- ___threatAssessConfidence___
- ___threatAssessRating___
- __Cisco Threat Grid__
Added data to raw response for the feeds commands.
- __Windows Defender Advanced Threat Protection__
Added the ___microsoft-atp-update-alert___ command.
- __Rasterize__
Added the _size_ argument to the ___rasterize-image___ command.
- __FireEye HX__
Added the ___fireeye-hx-create-indicator___ command.
- __JASK__
- Improved implementation of fetched incidents
- Added a parameter which enables you to define the result limit.

---
Scripts

5 New Scripts
- __ConvertKeysToTableFieldFormat__
Converts object keys to match table keys.
Use this script when mapping object/collection to a grid (table) field.
- __ExtractIndicatorsFromTextFile__
Extracts indicators from a text-based file.
- __ExtractIndicatorsFromWordFile__
Extracts indicators from Word files (DOC, DOCX).
- __ReadPDFFile__
Loads a PDF file's contents and metadata into context.
- __StringContainsArray__
Checks whether a substring or an array of substrings is within a string array (each item will be checked).

5 Improved Scripts
- __ExtractIndicatorsFromTextFile__
Updated the script to use the enhanced ___extractIndicators___ command.
- __IsMaliciousIndicatorFound__
Added support for Email and Domain indicators.
- __ParseCSV__
Improved handling of null byte character.
- __Ping__
Updated the script to use native ping utility.
- __ReadPDFFile__
Updated the script to use the enhanced ___extractIndicators___ command.

---
Playbooks

New Playbook
- __Detonate File - HybridAnalysis__
Detonates one or more files using the Hybrid Analysis integration.

5 Improved Playbooks
- __Calculate Severity - Critical assets__
Replaced use of the ___StringContains___ script with a new filter.
- __Detonate File - Generic__
Added the Hybrid Analysis detonate file playbook.
- __Extract Indicators From File - Generic__
The playbook now utilizes the new feature of extracting indicators from Word documents.
- __Get File Sample By Hash - Cylance Protect__
Added support fo Cylance Protect v2 and Cylance Protect v1 integrations.
- __Get File Sample From Hash - Generic__
Added MD5 and SHA-256 inputs to the playbook.

Demisto Content Release Notes for version 19.1.1 (16961)
Published on 13 January 2019

Integrations

2 New Integrations
- __CIRCL__
CIRCL Passive DNS is a database storing historical DNS records from various resources.
CIRCL Passive SSL is a database storing historical X.509 certificates seen per IP address. The Passive SSL historical data is indexed per IP address. For more information, see the [CIRCL documentation](https://support.demisto.com/hc/en-us/articles/360015114294).
- __MISP V2__
Malware information sharing platform and threat sharing.
This integration replaces the __MISP (Deprecated)__ integration.

10 Improved Integrations
- __Pwned__
Fixed an issue in the ___email___ command that affected backward compatibility.
- __AbuseIPDB__
- Fixed context issues.
- Added the ___AbuseIPDB-PopulateIndicators___ script.
- __Cybereason__
- Improved implementation of malop fetching as incidents.
- Added 5 new commands:
- ___cybereason-prevent-file___
- ___cybereason-unprevent-file___
- ___cybereason-query-file___
- ___cybereason-query-domain___
- ___cybereason-query-user___

For more information, see the [Cybereason documentation](https://support.demisto.com/hc/en-us/articles/360007903594).
- __Google Vault__
- Added 4 new commands:
- ___gvault-get-drive-results___
- ___gvault-get-mail-results___
- ___gvault-get-groups-results___
- ___gvault-download-results___
- Added 4 new Google Vault playbooks:
- ___Google Vault - Search Mail___
- ___Google Vault - Search Drive___
- ___Google Vault - Search Groups___
- ___Google Vault - Display results___
- In context, Export objects were moved into matching Matter objects (this change is not backward compatible).

For more information, see the [Google Vault documentation](https://support.demisto.com/hc/en-us/articles/360010994213).
- __IntSights__
- The ___get_alerts___ command now retrieves all alert details.
- Added the ___time-delta___ argument, which retrieves alerts based on a given time delta (in days).

For more information, see the [IntSights documentation](https://demisto.zendesk.com/hc/en-us/articles/360010956714).
- __ServiceNow__
Improved handling of empty responses and missing fields.
- __Cisco Threat Grid__
You can now submit a file that has unicode characters in the name.
- __TruSTAR__
Added 4 new commands:
- ___file___
- ___url___
- ___ip___
- ___domain___

For more information, see the [TruSTAR documentation](https://support.demisto.com/hc/en-us/articles/360005445133).
- __Have I Been Pwned?__
Added DBot score.
- ThreatConnect
- Added context and markdown to existing commands.
- Added new commands.
---
Scripts

7 New Scripts
- __AbuseIPDBPopulateIndicators__
Extracts blacklisted IP addresses from AbuseIPDB, and populates indicators accordingly.
- __ChangeRemediationSLAOnSevChange__
Changes the remediation SLA when a change in incident severity occurs.
- __CopyContextToField__
Copy a context key to an incident field to multiple number of incidents, based on a query.
- __CybereasonPreProcessingExample__
Run this preprocessing script when fetching Cybereason malops. The script checks if a malop was already fetched, and will then update the existing incident, otherwise it will create a new incident.
- __DT__
This automation allows the usage of DT scripts within playbook transformers.
- __LinkIncidentsWithRetry__
Running multiple link incidents simultaneously can cause DB version errors. Use the ___LinkIncidentsWithRetry___ script to avoid this error.
- __StopTimeToAssignOnOwnerChange__
Stops the _Time To Assign_ timer when the incident owner changes.

6 Improved Scripts
- __cveReputation__
Added a fixed number of retries to execute the ___cve-search___ command when a 404 error is returned.
- __ProofpointDecodeURL__
Added a helpful error description when a URL is not found in the query.
- __SSDeepReputation__
You can now use this script as an indicator reputation script.
- __SplunkPySearch__
- Fixed 'Missing headers param' bug.
- Added error validation for the command result.

Deprecated Scripts
- __misp_download_sample__
Script is deprecated, use the ___misp-download-sample___ command in the MISP V2 integration instead.
- __misp_upload_sample__
Script is deprecated, use the ___misp-upload-sample___ command in the in MISP V2 integration instead.

---
Playbooks

4 New Playbooks
- __Google Vault - Display Results__
Queues and displays Google Vault search results.
- __Google Vault - Search Drive__
Performs Google Vault searches in Drive accounts, and displays the results.
- __Google Vault - Search Groups__
Performs Google Vault searches in Groups, and displays the results.
- __Google Vault - Search Mail__
Performs Google Vault searches in Mail accounts, and displays the results.


---

Widgets
1 Improved Widget
- __MTTR by Type__
MTTR is now in the timeline widget.

---

Demisto Content Release Notes for version 19.1.0 (16707)
Published on 08 January 2019
Integrations

2 New Integrations
- __CIRCL__
CIRCL Passive DNS is a database storing historical DNS records from various resources.
CIRCL Passive SSL is a database storing historical X.509 certificates seen per IP address. The Passive SSL historical data is indexed per IP address. For more information, see the [CIRCL documentation](https://support.demisto.com/hc/en-us/articles/360015114294).
- __MISP V2__
Malware information sharing platform and threat sharing.
This integration replaces the __MISP (Deprecated)__ integration.

9 Improved Integrations
- __AbuseIPDB__
- Fixed context issues.
- Added the ___AbuseIPDB-PopulateIndicators___ script.
- __Cybereason__
- Improved implementation of malop fetching as incidents.
- Added 5 new commands:
- ___cybereason-prevent-file___
- ___cybereason-unprevent-file___
- ___cybereason-query-file___
- ___cybereason-query-domain___
- ___cybereason-query-user___

For more information, see the [Cybereason documentation](https://support.demisto.com/hc/en-us/articles/360007903594).
- __Google Vault__
- Added 4 new commands:
- ___gvault-get-drive-results___
- ___gvault-get-mail-results___
- ___gvault-get-groups-results___
- ___gvault-download-results___
- Added 4 new Google Vault playbooks:
- ___Google Vault - Search Mail___
- ___Google Vault - Search Drive___
- ___Google Vault - Search Groups___
- ___Google Vault - Display results___
- In context, Export objects were moved into matching Matter objects (this change is not backward compatible).

For more information, see the [Google Vault documentation](https://support.demisto.com/hc/en-us/articles/360010994213).
- __IntSights__
- The ___get_alerts___ command now retrieves all alert details.
- Added the ___time-delta___ argument, which retrieves alerts based on a given time delta (in days).

For more information, see the [IntSights documentation](https://demisto.zendesk.com/hc/en-us/articles/360010956714).
- __ServiceNow__
Improved handling of empty responses and missing fields.
- __Cisco Threat Grid__
You can now submit a file that has unicode characters in the name.
- __TruSTAR__
Added 4 new commands:
- ___file___
- ___url___
- ___ip___
- ___domain___

For more information, see the [TruSTAR documentation](https://support.demisto.com/hc/en-us/articles/360005445133).
- __Have I Been Pwned?__
Added DBot score.
- ThreatConnect
- Added context and markdown to existing commands.
- Added new commands.
---
Scripts

7 New Scripts
- __AbuseIPDBPopulateIndicators__
Extracts blacklisted IP addresses from AbuseIPDB, and populates indicators accordingly.
- __ChangeRemediationSLAOnSevChange__
Changes the remediation SLA when a change in incident severity occurs.
- __CopyContextToField__
Copy a context key to an incident field to multiple number of incidents, based on a query.
- __CybereasonPreProcessingExample__
Run this preprocessing script when fetching Cybereason malops. The script checks if a malop was already fetched, and will then update the existing incident, otherwise it will create a new incident.
- __DT__
This automation allows the usage of DT scripts within playbook transformers.
- __LinkIncidentsWithRetry__
Running multiple link incidents simultaneously can cause DB version errors. Use the ___LinkIncidentsWithRetry___ script to avoid this error.
- __StopTimeToAssignOnOwnerChange__
Stops the _Time To Assign_ timer when the incident owner changes.

6 Improved Scripts
- __cveReputation__
Added a fixed number of retries to execute the ___cve-search___ command when a 404 error is returned.
- __ProofpointDecodeURL__
Added a helpful error description when a URL is not found in the query.
- __SSDeepReputation__
You can now use this script as an indicator reputation script.
- __SplunkPySearch__
- Fixed 'Missing headers param' bug.
- Added error validation for the command result.

Deprecated Scripts
- __misp_download_sample__
Script is deprecated, use the ___misp-download-sample___ command in the MISP V2 integration instead.
- __misp_upload_sample__
Script is deprecated, use the ___misp-upload-sample___ command in the in MISP V2 integration instead.

---
Playbooks

4 New Playbooks
- __Google Vault - Display Results__
Queues and displays Google Vault search results.
- __Google Vault - Search Drive__
Performs Google Vault searches in Drive accounts, and displays the results.
- __Google Vault - Search Groups__
Performs Google Vault searches in Groups, and displays the results.
- __Google Vault - Search Mail__
Performs Google Vault searches in Mail accounts, and displays the results.


---

Widgets
1 Improved Widget
- __MTTR by Type__
MTTR is now in the timeline widget.

---