Demisto-py

🎄 Demisto Content Release Notes for version 18.12.2 (16142) 🎄
Published on 25 December 2018
❄️ Integrations ❄️

3 New Integrations
- __HashiCorp Vault__
Manage secrets and protect sensitive data.
- __Attivo BOTsink__
Network-based threat deception for post-compromise threat detection.
- __AbuseIP__
Central repository to report and identify IP addresses that have been associated with malicious activity online.

4 Improved Integrations
- __EWS v2__
Improved error messages.
- __FireEye HX__
Added two commands:
- ___fireeye-hx-search___
- ___fireeye-hx-get-host-set-information___
- __Rasterize__
Improved error handling for Rasterize errors.
- __Palo Alto Networks Panorama__
- Added support for __Palo Alto Firewall__.
- Added 28 new commands, which are related to:
- Commit and push configurations
- Object handling: Addresses, Address Groups, Custom URL Category and URL FIltering
- Security rule management: Create, edit, move, and delete rules
---
☃️ Scripts ☃️
5 New Scripts
- __DBotPredictPhishingEvaluation__
Evaluate pre-trained machine learning phishing model in Demisto.
- __DBotPredictPhishingLabel__
Predict text labels using the pre-trained machine learning phishing model.
- __DBotPredictTextLabel__
Predict text labels using the pre-trained machine learning phishing model.
- __DBotPreparePhishingData__
This script is part of phishing model training using machine learning.
- __DBotTrainTextClassifier__
Create a text classifier model using machine learning.

Improved Script
- __findIncidentsWithIndicator__
Fixed the ___Indicator___ and ___incidentIDs___ context keys (this fix is not backward compatible).

6 Deprecated Scripts
- __PanoramaBlockIP__
Use the ___panorama-custom-block-rule___ command.
- __PanoramaCommit__
Use the integration ___panorama-commit___ command.
- __PanoramaConfig__
Use the ___panorama-config___ command.
- __PanoramaDynamicAddressGroup__
Use the ___panorama-create-address-group___ command.
- __PanoramaMove__
Use the ___panorama-move-rule___ command.
- __PanoramaPcaps__
---
🎅 Playbooks 🎅
3 New Playbooks
- __DBotCreatePhishingClassifier__
Create a phishing classifier using machine learning technique, based on email content. For more information, see the [Demisto Phishing Email Classifier documentation](https://support.demisto.com/hc/en-us/articles/360014423774).
- __DBotCreatePhishingClassifierJob__
Train the phishing machine learning model.
- __PanoramaCommitConfiguration__
Commit configurations to Palo Alto Networks Firewall and Panorama.

7 Improved Playbooks
- __Detonate File - BitDam__
Only supported file types are submitted to BitDam.
- __Detonate File - Lastline__
Only supported file types are submitted to Lastline.
- __ATD - Detonate File__
Only supported file types are submitted to McAfee ATD.
- __Detonate File - SNDBOX__
Only supported file types are submitted to SNDBOX.
- __Detonate File - ThreatGrid__
Only supported file types are submitted to ThreatGrid.
- __WildFire - Detonate file__
Only supported file types are submitted to WildFire.
- __Extract Indicators From File - Generic__
Fixed duplicate parsing of _.eml_ and _.msg_ files. These file types are now ignored when extracting indicators from files.


 Demisto Wishes You Happy Holidays ! 

Demisto Content Release Notes for version 18.12.1 (15710)
Published on 11 December 2018
Integrations

9 New Integrations
- __AWS - Security Hub__
Amazon Web Services Security Hub Service.
- __AWS SageMaker__
AWS SageMaker - Demisto Phishing Email Classifier.
- __Cymon__
Analyzes suspicious domains and IP addresses. For more information, see the [Cymon documentation](https://support.demisto.com/hc/en-us/articles/360013224833).
- __SNDBOX__
SNDBOX as a service. For more information, see the [SNDBOX documentation](https://support.demisto.com/hc/en-us/articles/360013178194).
- __Cisco Stealthwatch Cloud__
Protect your cloud assets and private network. For more information, see the [Stealthwatch Cloud documentation](https://support.demisto.com/hc/en-us/articles/360013019174).
- __Whois__
Provides data enrichment for domains and IP addresses. For more information, see the [Whois documentation](https://support.demisto.com/hc/en-us/articles/360013556333).
- __dnstwist__
Domain name permutation engine for detecting typo squatting, phishing and corporate espionage. For more information, see the [dnstwist documentation](https://support.demisto.com/hc/en-us/articles/360013169614).
- __InfoArmor VigilanteATI__
VigilanteATI redefines Advanced Threat Intelligence. InfoArmor's VigilanteATI platform and cyber threat services act as an extension of your IT security team. For more information, see the [InfoArmore VigilanteATI documentation](https://support.demisto.com/hc/en-us/articles/360012622533).
- __Awake Security__
Network Traffic Analysis. For more information, see the [Awake Security documentation](https://support.demisto.com/hc/en-us/articles/360013415834).
20 Improved Integrations
- __AWS - EC2__
- Added two commands:
- ___aws-ec2-modify-instance-attribute___.
- ___aws-ec2-modify-network-interface-attribute___.
- Upgraded Boto3 version to v1.9.55.
- __AWS - IAM__
Added nine commands:
- ___aws-iam-create-policy___
- ___aws-iam-delete-policy___
- ___aws-iam-create-policy-version___
- ___aws-iam-delete-policy-version___
- ___aws-iam-list-policy-versions___
- ___aws-iam-get-policy-version___
- ___aws-iam-set-default-policy-version___
- ___aws-iam-create-account-alias___
- ___aws-iam-delete-account-alias___
- __AWS - S3__
You can now create a bucket in any region.
- __ArcSight ESM__
Added logout handling.
- __Box__
Added two command:
- ___box_files_get___
- ___box_files_get_info___
- __Lastline__
Improved quota error handling.
- __McAfee Advanced Threat Defense__
- Improved outputs for malicious files.
- Added support to get reports of various types.
- Fixed rounding long numbers of IDs.
- __McAfee NSM__
Added the ___sensor_id___ argument to the ___get-alert-details___ command.
- __Mimecast__
Added two commands:
- ___mimecast-get-message___.
- ___mimecast-download-attachments___.
- __okta__
Added three commands:
- ___okta-get-user-factors___
- ___okta-verify-push-factor___
- ___okta-reset-factor___
- __OpenPhish__
Added support to trust any certificate in HTTP requests.
- __PagerDuty v2__
Added two commands:
- ___PagerDuty-acknowledge-event___
- ___PagerDuty-resolve-event commands___
- __ServiceNow__
Added the ___servicenow-get-table-name___ command.
- __Tenable.io__
Improved integration outputs.
- __Tenable.sc__
Improved implementation of the ___tenable-sc-get-device___ command.
- __urlscan.io__
Improved integration outputs.
- __Venafi__
Improved integration implementation.
- __Zscaler__
URL validation for the ___zscaler-blacklist-url___ command matches the Zscaler GUI.
- __Cisco Meraki__
Updated the API login URL.
- __Atlassian Jira__
Improved authentication process.

Deprecated Integration
- __Mimecast Authentication Deprecated__
Use the Mimecast integration.
---
Scripts

4 New Scripts

- __DemistoUploadFileToIncident__
Upload a file to a specified incident using the EntryID.
- __JiraCreateIssue-example__
Use this script simplify the process of creating a new issue in Jira.
- __ServiceNowCreateIncident__
Use this script to wrap the generic ___create-record___ command in ServiceNow.
- __ServiceNowQueryIncident__
Use this script to wrap the generic ___query-table___ command in ServiceNow.
- __ServiceNowUpdateIncident__
Use this script to wrap the generic ___update-record___ command in ServiceNow.

6 Improved Scripts
- __ADGetUser__
Return multiple results when running the script with a custom query.
- __Base64ListToFile__
Support for compressed data (zipped).
- __CBFindHash__
Fixed an issue in which the script does not return results.
- __FindSimilarIncidents__
- Added support for the _OR_ condition.
- Added a custom query argument.
- __QRadarGetCorrelationLogs__
The ___start_time___ field can now be either epoch time or a date string.
- __QRadarGetOffenseCorrelations__
The ___start_time___ field can now be either epoch time or a date string.

---
Playbooks

New Playbook
- __Detonate File - SNDBOX__
Detonates a file using the SNDBOX integration.

4 Improved Playbooks
- __Detonate File - Generic__
Added support for the SNDBOX integration.
- __ATD - Detonate File__
Improved playbook outputs.
- __Detonate URL - McAfee ATD__
Improved playbook outputs.
- __CrowdStrike Endpoint Enrichment__
Improved playbook outputs.

Demisto Content Release Notes for version 18.12.0 (15435)
Published on 05 December 2018
Integrations
2 Improved Integrations
- __IBM QRadar__
- Added ___remoteDestinationCount___ field to indicate an offense has a remote destination.
- Added ability to use custom output path in the command ___qradar-get-search-results___.
- Converted ___CloseTime___ field to date string.
- Fixed fetch incidents bug.
- __Symantec Endpoint Protection 14__
Improved proxy implementation in HTTP requests.
---
Playbooks
2 Improved Playbooks
- __Detonate File - Cuckoo__
Changed ___File___ argument not to be mandatory.
- __Detonate URL - Cuckoo__
Changed ___URL___ argument not to be mandatory.

Demisto Content Release Notes for version 18.11.2 (15082)
Published on 28 November 2018
Integrations

3 New Integrations
- __Server Message Block (SMB)__
Retrieve files from an SMB server. For more information, see the [SMB documentation](https://support.demisto.com/hc/en-us/articles/360012404213).
- __FortiGate__
Manage firewall settings and groups. For more information, see the [FortiGate documentation](https://support.demisto.com/hc/en-us/articles/360012690573).
- __Tenable Security Center__
Get a real-time, continuous assessment of your security posture so you can find and fix vulnerabilities faster. For more information, see the [Tenable.sc documentation](https://support.demisto.com/hc/en-us/articles/360012684613).

12 Improved Integrations
- __ServiceNow__
- Added support to retrieve records from any table generically in addition to tickets.
- Deprecated the ___servicenow-get___ command. Use the ___servicenow-get-ticket___ and ___servicenow-get-record___ commands instead.
- Deprecated the ___servicenow-create___ command. Use the ___servicenow-create-ticket___ and ___servicenow-create-record___ commands instead.
- Deprecated the ___servicenow-update___ command. Use the ___servicenow-update-ticket___ and ___servicenow-update-record___ commands instead.
- Deprecated the ___servicenow-query___ command. Use the ___servicenow-query-tickets___ and ___servicenow-query-table___ commands instead.
- Added the ___servicenow-list-table-fields___ command.

- __Cylance Protect v2__
Improved fetch incidents implementation.
- __Lastline__
In the ___lastline-get-report___ command, we added the _isArray_ option to the _uuid_ argument.
- __Mimecast__
- Added 3 authentication commands:
- ___mimecast-login___
- ___mimecast-discover___
- ___mimecast-refresh-token___
- Improved outputs for the ___mimecast-query command___ command.
- Added a process for automatic token refresh.
- __PagerDuty v2__
Added fetch incidents functionality.
- __Phish.AI__
Added generic polling functionality for URLs.
- __IBM QRadar__
Added 5 commands:
- ___qradar-create-reference-set___
- ___qradar-delete-reference-set___
- ___qradar-create-reference-set-value___
- ___qradar-update-reference-set-value___
- ___qradar-delete-reference-set-value___
- __Recorded Future__
Improved the error message when an IOC does not exist in Recorded Future.
- __Venafi__
- Added the ___venafi-get-certificate-details___ command.
- Improved outputs for the ___venafi-get-certificates___ command.
- __RSA NetWitness Endpoint__
Fixed a bug when querying machines by hostname.
- __FireEye HX__
Fixed a ___fireeye-hx-host-containment___ command name error.
- __RSA NetWitness v11.1__
Fixed an error for bad responses when retrieving a token.

---
Scripts

6 New Scripts
- __JSONFileToCSV__
Converts a JSON file War Room output to a CSV file.
- __JSONtoCSV__
Converts a JSON War Room output via EntryID to a CSV file.
- __SetByIncidentId__
Sets a value to the context with the specified context key of a given incident.
- __URLDecode__
Decodes a URL from a URL query to human-readable URL.
- __WordTokenize__
Tokenize the words of an input text.
- __ParseJSON__
Parse a given JSON string "value" to a representative object.

4 Improved Scripts
- __GetTime__
- Added time functions: UTC, year, month, day in week, hours, and UTC hours.
- Fixed GMT time to use UTC, and to not be case-sensitive.
- __LoadJSON__
Parses complicated JSON structures.
- __CreateEmailHtmlBody__
- Added the ability to have custom fields in the template in both ___.incident.CustomFields.___ and ___incident.____ formats.
- Added the option to replace non-found placeholder values with empty string.
- __ActiveUsersD2__
Discarded uniqBy use.
---
Playbooks

New Playbooks
- __Detonate File - Cuckoo__
Detonates files using the Cuckoo integration.
- __Detonate URL - Cuckoo__
Detonates URLs using the Cuckoo integration.
- __Detonate URL - Phish.AI__
Detonates a URL using the Phish.AI integration.
- __Launch Scan - Tenable.sc__
Launches an existing Tenable.sc scan by scan ID, and waits for the scan to finish by polling the scan status according to predefined intervals.

2 Improved Playbooks
- __Detonate File - Generic__
Added support for Cuckoo Sandbox.
- __Detonate URL - Generic__
Added support for Cuckoo Sandbox.

Demisto Content Release Notes for version 18.11.1 (14682)
Published on 18 November 2018
Integrations

5 New Integrations
- __BigFix__
IBM BigFix Patch provides an automated, simplified patching process that is administered from a single console. For more information, see the [IBM BigFix documentation](https://support.demisto.com/hc/en-us/articles/360011403394-BigFix).
- __Google Vault__
Archiving and eDiscovery for G Suite. For more information, see the [Google Vault documentation](https://support.demisto.com/hc/en-us/articles/360010994213).
- __Luminate__
Enrich reports and respond to incidents. For more information, see the [Luminate documentation](https://support.demisto.com/hc/en-us/articles/360011975994).
- __Tenable.io__
A comprehensive asset centric solution to accurately track resources while accommodating dynamic assets such as cloud, mobile devices, containers and web applications. For more information, see the [Tenable.io documentation](https://support.demisto.com/hc/en-us/articles/360011971614).
- __Windows Defender Advanced Threat Protection__
Windows Defender Advanced Threat Protection (ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. For more information, see the [Windows Defender ATP documentation](https://support.demisto.com/hc/en-us/articles/360011926814).

18 Improved Integrations
- __Carbon Black Enterprise Live Response__
- Improved error messages for the ___session-create-and-wait___ command.
- Improved results for the ___cb-session-close___ command to reflect the actual session status for a CB Response case.
- __Carbon Black Enterprise Response__
- Improved outputs for the command ___cb-binary___ command to display full results for the _Hostname_ field.
- Improved implementation of the ___cb-process-events___ command to prevent failure in case the information returned is partial.
- __CrowdStrike Falcon Intel__
Improved output for DBotScore when an indicator is not found.
- __EWS v2__
Fixed a typo in compliance search methods.
- __Gmail__
Added two commands to implement an email blockage use case. For more information, see the [Gmail documentation](https://support.demisto.com/hc/en-us/articles/360007598794).
- ___gmail-add-delete-filter___
- ___gmail-add-filter___
- __Cylance Protect v2__
Added 5 commands:
- ___cylance-protect-download-threat___
- ___cylance-protect-add-hash-to-list___
- ___cylance-protect-delete-hash-from-lists___
- ___cylance-protect-get-policy-details___
- ___cylance-protect-delete-devices___
- __Mimecast v2__
- Refactored the Mimecast integration. Mimecast v1 is now deprecated.
- Implemented incident fetching.
- Fetch URL logs: Fetches email logs containing malicious URLs
- Fetch attachment logs: Fetches email logs containing malicious attachments
- Fetch impersonation logs: Fetches email logs containing impersonation incidents
- Added 12 commands:
- ___mimecast-list-blocked-sender-policies___
- ___mimecast-create-policy___
- ___mimecast-delete-policy___
- ___mimecast-get-policy___
- ___mimecast-query___
- ___mimecast-url-decode___
- ___mimecast-manage-sender___
- ___mimecast-list-managed-url___
- ___mimecast-create-managed-url___
- ___mimecast-list-messages___
- ___mimecast-get-url-logs___
- ___mimecast-get-impersonation-logs___
- ___mimecast-get-attachment-logs___
- __Palo Alto MineMeld__
Improved implementation of whitelist/blacklist initialization.
- __Rapid7 Nexpose__
Added support to view, stop, pause and resume scans. For more information, see the [Rapid7 Nexpose documentation](https://support.demisto.com/hc/en-us/articles/360006756333).
- __SCADAfence CNM__
Added two commands. For more information, see the [SCADAfence CNM documentation](https://support.demisto.com/hc/en-us/articles/360008899633).
- ___scadafence-getAllConnections___
- ___scadafence-createAlert___
- __SplunkPy__
Added support to fetch notable events using Splunk Time instead of the Demisto server time.
- __VirusTotal - Private API__
Improved the error message when the quota is exceeded.
- __Palo Alto WildFire__
The ___wildfire-upload___ command now supports multiple uploads.
- __McAfee ePO__
- Added two commands.
- ___epo-find-system___
- ___epo-get-version___
- Improved outputs for the ___epo-query-table___ command.
- __Rasterize__
Added rasterize-image command to securely display images in war room.
- __IBM QRadar__
- Fixed incidents fetching bug.
- Added the ___qradar-get-reference-by-name___ command.
- Reimplemented the integration in Python.
- __Cisco Threat Grid__
- Updated the integration to align with changes in Threat Grid API.
- Enhanced outputs for the ___threat-grid-get-analysis-by-id___ command.
- Added two commands:
- ___threat-grid-search-urls___
- ___threat-grid-search-samples___
- __urlscan.io__
- The ___ip___ and ___file___ commands are no longer supported.
- Reformatted context outputs.
- Added the command ___urlscan-search___
---
Scripts

2 New Scripts
- __ExifRead__
Read image files' metadata and provide Exif tags.
- __ParseExcel__
The automation takes an Excel file (entryID) as an input and parses its content to the War Room and context.

6 Improved Scripts
- __ADGetUser__
Improved display formatting of _UserAccountControl_ flags.
- __BlockIP__
The _rulename_ and _ipname_ arguments are now optional, and include improved defaults.
- __CPBlockIP__
The _rulename_ and _ipname_ arguments are now optional, and include improved defaults.
- __PanoramaBlockIP__
The _rulename_ argument is now optional, and includes improved defaults.
- __ProofpointDecodeURL__
Improved handling of error scenarios.
- __ReadPDFFile__
Improved handling PSEOF error.
---
Playbooks

2 New Playbooks
- __QRadarFullSearch__
This playbook runs a QRadar query and returns the query results to the context.
- __Tenable.io Scan__
Run a Tenable.io scan.

Demisto Content Release Notes for version 18.11.0 (14606)
Published on 13 November 2018
Integrations

5 New Integrations
- __BigFix__
IBM BigFix Patch provides an automated, simplified patching process that is administered from a single console. For more information, see the [IBM BigFix documentation](https://support.demisto.com/hc/en-us/articles/360011403394-BigFix).
- __Google Vault__
Archiving and eDiscovery for G Suite. For more information, see the [Google Vault documentation](https://support.demisto.com/hc/en-us/articles/360010994213).
- __Luminate__
Enrich reports and respond to incidents. For more information, see the [Luminate documentation](https://support.demisto.com/hc/en-us/articles/360011975994).
- __Tenable.io__
A comprehensive asset centric solution to accurately track resources while accommodating dynamic assets such as cloud, mobile devices, containers and web applications. For more information, see the [Tenable.io documentation](https://support.demisto.com/hc/en-us/articles/360011971614).
- __Windows Defender Advanced Threat Protection__
Windows Defender Advanced Threat Protection (ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. For more information, see the [Windows Defender ATP documentation](https://support.demisto.com/hc/en-us/articles/360011926814).

18 Improved Integrations
- __Carbon Black Enterprise Live Response__
- Improved error messages for the ___session-create-and-wait___ command.
- Improved results for the ___cb-session-close___ command to reflect the actual session status for a CB Response case.
- __Carbon Black Enterprise Response__
- Improved outputs for the command ___cb-binary___ command to display full results for the _Hostname_ field.
- Improved implementation of the ___cb-process-events___ command to prevent failure in case the information returned is partial.
- __CrowdStrike Falcon Intel__
Improved output for DBotScore when an indicator is not found.
- __EWS v2__
Fixed a typo in compliance search methods.
- __Gmail__
Added two commands to implement an email blockage use case. For more information, see the [Gmail documentation](https://support.demisto.com/hc/en-us/articles/360007598794).
- ___gmail-add-delete-filter___
- ___gmail-add-filter___
- __Cylance Protect v2__
Added 5 commands:
- ___cylance-protect-download-threat___
- ___cylance-protect-add-hash-to-list___
- ___cylance-protect-delete-hash-from-lists___
- ___cylance-protect-get-policy-details___
- ___cylance-protect-delete-devices___
- __Mimecast v2__
- Refactored the Mimecast integration. Mimecast v1 is now deprecated.
- Implemented incident fetching.
- Fetch URL logs: Fetches email logs containing malicious URLs
- Fetch attachment logs: Fetches email logs containing malicious attachments
- Fetch impersonation logs: Fetches email logs containing impersonation incidents
- Added 12 commands:
- ___mimecast-list-blocked-sender-policies___
- ___mimecast-create-policy___
- ___mimecast-delete-policy___
- ___mimecast-get-policy___
- ___mimecast-query___
- ___mimecast-url-decode___
- ___mimecast-manage-sender___
- ___mimecast-list-managed-url___
- ___mimecast-create-managed-url___
- ___mimecast-list-messages___
- ___mimecast-get-url-logs___
- ___mimecast-get-impersonation-logs___
- ___mimecast-get-attachment-logs___
- __Palo Alto MineMeld__
Improved implementation of whitelist/blacklist initialization.
- __Rapid7 Nexpose__
Added support to view, stop, pause and resume scans. For more information, see the [Rapid7 Nexpose documentation](https://support.demisto.com/hc/en-us/articles/360006756333).
- __SCADAfence CNM__
Added two commands. For more information, see the [SCADAfence CNM documentation](https://support.demisto.com/hc/en-us/articles/360008899633).
- ___scadafence-getAllConnections___
- ___scadafence-createAlert___
- __SplunkPy__
Added support to fetch notable events using Splunk Time instead of the Demisto server time.
- __VirusTotal - Private API__
Improved the error message when the quota is exceeded.
- __Palo Alto WildFire__
The ___wildfire-upload___ command now supports multiple uploads.
- __McAfee ePO__
- Added two commands.
- ___epo-find-system___
- ___epo-get-version___
- Improved outputs for the ___epo-query-table___ command.
- __Rasterize__
Added rasterize-image command to securely display images in war room.
- __IBM QRadar__
- Added the ___qradar-get-reference-by-name___ command.
- Reimplemented the integration in Python.
- __Cisco Threat Grid__
- Updated the integration to align with changes in Threat Grid API.
- Enhanced outputs for the ___threat-grid-get-analysis-by-id___ command.
- Added two commands:
- ___threat-grid-search-urls___
- ___threat-grid-search-samples___
- __urlscan.io__
- The ___ip___ and ___file___ commands are no longer supported.
- Reformatted context outputs.
- Added the command ___urlscan-search___
---
Scripts

2 New Scripts
- __ExifRead__
Read image files' metadata and provide Exif tags.
- __ParseExcel__
The automation takes an Excel file (entryID) as an input and parses its content to the War Room and context.

6 Improved Scripts
- __ADGetUser__
Improved display formatting of _UserAccountControl_ flags.
- __BlockIP__
The _rulename_ and _ipname_ arguments are now optional, and include improved defaults.
- __CPBlockIP__
The _rulename_ and _ipname_ arguments are now optional, and include improved defaults.
- __PanoramaBlockIP__
The _rulename_ argument is now optional, and includes improved defaults.
- __ProofpointDecodeURL__
Improved handling of error scenarios.
- __ReadPDFFile__
Improved handling PSEOF error.
---
Playbooks

2 New Playbooks
- __QRadarFullSearch__
This playbook runs a QRadar query and returns the query results to the context.
- __Tenable.io Scan__
Run a Tenable.io scan.