Demisto-py

Demisto Content Release Notes for version 18.10.3 (14022)
Published on 30 October 2018
Integrations

3 New Integrations
- __AWS - CloudWatchLogs__
Amazon Web Services CloudWatch Logs (logs). For more information, see the [Amazon Web Services CloudWatch documentation](https://support.demisto.com/hc/en-us/articles/360010259234).
- __BitDam__
BitDam secure email gateway protects against advanced content-borne threats with the most accurate prevention of known and unknown threats, at their source. For more information, see the [BitDam documentation](https://support.demisto.com/hc/en-us/articles/360011347694).
- __Red Canary__
Red Canary collects endpoint data using Carbon Black Response and CrowdStrike Falcon.
15 Improved Integrations
- __AWS - S3__
Added the ___aws-s3-upload-file___ command. For more information, see the [AWS S3 documentation](https://support.demisto.com/hc/en-us/articles/360001941113).
- __Carbon Black Enterprise Live Response__
Improved the integration test.
- __IntSights__
Improved integration implementation and execution. For more information, see the [IntSights documentation](https://support.demisto.com/hc/en-us/articles/360010956714).
- __Devo__
Added a default results limit of 30.
- __EWS v2__
Added support for Public Folders and compliance search in Office 365.
- __FireEye HX__
Added enforcement of passing either the _defaultSystemScript_ argument or both the _script_ and _scriptName_ arguments when running the ___fireeye-hx-data-acquisition___ command.
- __Lastline__
For more information, see the [Lastline documentation](https://support.demisto.com/hc/en-us/articles/360011424433).
- Improved outputs, error messages, and code readability.
- Added support to insert multiple inputs for the ___lastline-get___ command.
- __PagerDuty v2__
Added support to send _ServiceKey_ with the ___PagerDuty-submit-event___ command.
- __Dell Secureworks__
Added support for getting ticket attachments.
- __ServiceNow__
- Added support for the catalog task ticket type.
- Improved error messages.
- __SumoLogic__
Added support to use the equal sign in the _query_ and _headers_ arguments for the ___search___ command.
- __ThreatConnect__
Fixed a filter issue when the _ratingThreshold_ argument is specified.
- __FireEye iSIGHT__
Added DBot score output for indicators that do not contain data.
- __McAfee ePO__
Added 2 commands:
- ___epo-get-tables___
- ___epo-query-table___
- __Cisco Umbrella Investigate__
Added 13 commands:
- ___domain___
- ___umbrella-get-related-domains___
- ___umbrella-get-domain-classifiers___
- ___umbrella-get-domain-queryvolume___
- ___umbrella-get-domain-details___
- ___umbrella-get-domains-for-email-registrar___
- ___umbrella-get-domains-for-nameserver___
- ___umbrella-get-whois-for-domain___
- ___umbrella-get-malicious-domains-for-ip___
- ___umbrella-get-domains-using-regex___
- ___umbrella-get-domain-timeline___
- ___umbrella-get-ip-timeline___
- ___umbrella-get-url-timeline___

---
Scripts

2 New Scripts
- __IsListExist__
Checks if a list exists in Demisto lists.
- __RegexGroups__
Extracts elements that are contained in all the subgroups that match the pattern.

5 Improved Scripts
- __EPOFindSystem__
Improved error handling.
- __FireEyeDetonateFile__
Added arguments to enable setting analysis type and pre-fetch when running the script.
- __PagerDutyAlertOnIncident__
PagerDuty API v2 is now supported.
- __UnzipFile__
Enabled decompression of AES encrypted files.
- __TextFromHTML__
Added support for multiple languages.

Deprecated Script
- __CloseInvestigation__
Use the ___closeInvestigation___ command.
---
Playbooks

13 New Playbooks
- __Add Indicator to Miner - Palo Alto MineMeld__
Add indicators to the relevant Miner using MineMeld.
- __Detonate File - BitDam__
Detonates one or more files using BitDam integration.
- __Block Account - Generic__
This playbook blocks malicious usernames using all integrations that you have enabled.
- __Block File - Carbon Black Response__
This playbook receives an MD5 hash and adds it to the blacklist in Carbon Black Enterprise Response..
- __Block File - Generic__
A generic playbook for blocking files from running on endpoints.
- __Block IP - Generic__
This playbook blocks malicious IPs using all integrations that you have enabled.
- __Block Indicators - Generic__
This playbook blocks malicious Indicators using all integrations that you have enabled.
- __Block URL - Generic__
This playbook blocks malicious URLs using all integrations that you have enabled.
- __Demisto Self-Defense - Account policy monitoring playbook__
Get list of Demisto users through the REST API, and alert if any non-SAML user accounts are found.
- __Detonate File - Lastline__
Detonates a File using the Lastline sandbox.
- __Detonate URL - Lastline__
Detonates a URL using the Lastline sandbox integration.
- __Office 365 Search and Delete__
Run a ComplianceSearch on Office 365 and delete the results.
- __Phishing Investigation - Generic__
Use this playbook to investigate and remediate a potential phishing incident. The playbook simultaneously engages with the user that triggered the incident, while investigating the incident itself.

3 Improved Playbooks
- __Detonate File - Generic__
Added the Lastline Detonate File playbook.
- __Detonate URL - Generic__
Added the Lastline Detonate URL playbook.
- __Phishing Investigation - Generic__
Added support for blocking malicious indicators in relevant integrations.

Demisto Content Release Notes for version 18.10.2 (13642)
Published on 19 October 2018
Integrations

4 New Integrations
- __AWS - CloudTrail__
Amazon Web Services CloudTrail. For more information, see the [AWS - CloudTrail documentation](https://support.demisto.com/hc/en-us/articles/360009406993)
- __Devo__
Query data from Devo. For more information, see the [Devo documentation](https://support.demisto.com/hc/en-us/articles/360010222874).
- __Cyber Triage__
Conduct a mini-forensic investigation on an endpoint. For more information, see the [Cyber Triage documentation](https://support.demisto.com/hc/en-us/articles/360010473694).
- __ActiveMQ__
Message broker with a full message service client. For more information, see the [ActiveMQ documentation](https://support.demisto.com/hc/en-us/articles/360010559293).
Updated Integration
- __McAfee ePO__
The ___command___ and ___commandArgs___ arguments of the command ___epo-command___ are no longer available from the CLI and as playbook inputs, but can still be used in the command.
5 Improved Integrations
- __CrowdStrike Falcon Host__
Added 2 new commands. For more information, see the [CrowdStrike Falcon Host documentation](https://support.demisto.com/hc/en-us/articles/360008475454).
- ___cs-detection-search___
- ___cs-detection-details___
- __Joe Security__
Added the ___URL___ parameter to integration configuration.
- __McAfee NSM__
Improved integration outputs. For more information, see the [McAfee NSM documentation](https://support.demisto.com/hc/en-us/articles/360010556214).
- __ServiceNow__
Improved integration outputs.
- __VirusTotal - Private API__
Improved outputs for the ___vt-private-get-url-report___ command .

Demisto Content Release Notes for version 18.10.1 (13492)
Published on 16 October 2018
Integrations

4 New Integrations
- __AWS - CloudTrail__
Amazon Web Services CloudTrail. For more information, see the [AWS - CloudTrail documentation](https://support.demisto.com/hc/en-us/articles/360009406993)
- __Devo__
Query data from Devo. For more information, see the [Devo documentation](https://support.demisto.com/hc/en-us/articles/360010222874).
- __Cyber Triage__
Conduct a mini-forensic investigation on an endpoint. For more information, see the [Cyber Triage documentation](https://support.demisto.com/hc/en-us/articles/360010473694).
- __ActiveMQ__
Message broker with a full message service client. For more information, see the [ActiveMQ documentation](https://support.demisto.com/hc/en-us/articles/360010559293).
5 Improved Integrations
- __CrowdStrike Falcon Host__
Added 2 new commands. For more information, see the [CrowdStrike Falcon Host documentation](https://support.demisto.com/hc/en-us/articles/360008475454).
- ___cs-detection-search___
- ___cs-detection-details___
- __Joe Security__
Added the ___URL___ parameter to integration configuration.
- __McAfee NSM__
Improved integration outputs. For more information, see the [McAfee NSM documentation](https://support.demisto.com/hc/en-us/articles/360010556214).
- __ServiceNow__
Improved integration outputs.
- __VirusTotal - Private API__
Improved outputs for the ___vt-private-get-url-report___ command .

Demisto Content Release Notes for version 18.10.0 (13017)
Published on 02 October 2018
Integrations

2 New Integrations
- __Microsoft Graph__
Unified gateway to security insights - all from a unified Microsoft Graph Security API.
- __RSA NetWitness Endpoint__
Monitor and collect activity across all of your endpoints, on and off your network.

9 Improved Integrations
- __AWS - EC2__
- Added the ___aws-ec2-get-password-data___ command.
- Fixed several bugs.
- __FalconHost__
Fixed support for the __Trust any certificate__ checkbox.
- __Cybereason__
Improved fetch incidents implementation.
- __FireEye HX__
Fix fetch events to handle empty results.
- __McAfee Advanced Threat Defense__
The integration is now written in Python.
- __Rapid7 Nexpose__
When site scanning, you can now scan all assets within the site.
- __ServiceNow__
Added an option to get ticket attachments (get command, fetch incidents) and additional outputs.
- __SplunkPy__
Added support for UTF8 encoding for search.
- __McAfee ePO__
Added outputs and error messages.

---
Scripts

1 New Script
- __PortListenCheck__
Checks whether a port was opened on a specific host.

2 Improved Scripts
- __D2O365ComplianceSearch__
Better error handling in PS script run.
- __D2O365SearchAndDelete__
Better error handling in PS script run.

Demisto Content Release Notes for version 18.9.2 (12802)
Published on 20 September 2018
Integrations

9 Improved Integrations
- __CrowdStrike Falcon Intel__
Improved integration tolerance in the ___cs-reports___ command.
- __Demisto REST API__
Added the ___demisto-delete-incidents___ command.
- __Imperva Incapsula__
- Improved outputs for the ___in-cap-upload-public-key___ command.
- Reorganized the urlDict and commands to match and correspond to the Incapsula API Documentation layout.
- Added Account Management API Calls.
- Added Site Management - Rules API Calls.
- Added Site Management - Data Centers API Calls.
- Added Infrastructure Protection Test Alert API Calls.
- __IBM QRadar__
Fixed a bug in which pagination missed some incidents.
- __ServiceNow__
Rewrote the integration in Python.
- __VirusTotal__
Lowercase the protocol of a given url.
- __Zscaler__
Added the following commands:
- ___zscaler-get-blacklist___
- ___zscaler-get-whitelist___
- __Rasterize__
Do not send the Rasterize base64 image as output, because large images can affect system performance. The correct way is to mark the Rasterize entry as note or with a tag.
- __Cisco Webex Team__
Renamed integration name from Cisco Spark cause of product renaming.

---
Scripts

4 Deprecated Scripts
- __DemistoDeleteIncident__
Use the ___demisto-delete-incidents___ command in the Demisto RESTAPI integration instead.
- __WhileLoop__
Use native loops instead.
- __WhileNotExistLoop__
Use native loops instead.
- __WhileNotMdLoop__
Use native loops instead.

---
Dashboards

Improved Dashboards
- __System Health__
Updated memory graphs and CPU usage graphs.

---
Incident Fields
Removed the HTML Image field, because large images can affect system performance.

---
Incident Layouts

Improved Incident Layout
- __Phishing - Summary__
Replaced the HTML Image field with the HTML Image section, because large images can affect system performance.

Demisto Content Release Notes for version 18.9.1 (12565)
Published on 06 September 2018
Integrations

3 New Integrations
- __PagerDuty v2__
Alert and notify users using PagerDuty. For more information, see the [PagerDuty documentation](https://support.demisto.com/hc/en-us/articles/360008517394-PagerDuty).
- __SCADAfence CNM__
Query and fetch data from SCADAfence CNM. For more information, see the [SCADAfence documentation](https://support.demisto.com/hc/en-us/articles/360008899633-SCADAfence-Continuous-Network-Monitor-CNM-).
- __Aella Starlight__
Pervasive breach detection system. For more information, see the [Aella Starlight documentation](https://support.demisto.com/hc/en-us/articles/360008872313-Aella-Starlight).

20 Improved Integrations
- __RSA Archer__
Passwords now support special characters.
- __Carbon Black Defense__
Improved outputs in the ___cbd-get-alerts-details___ command. For more information, see the [Carbon Black Defense documentation](https://support.demisto.com/hc/en-us/articles/360006171153-Carbon-Black-Defense).
- __CrowdStrike Falcon Host__
Improved outputs for the ___cs-device-search___ command. For more information, see the [CrowdStrike Falcon Host documentation](https://demisto.zendesk.com/hc/en-us/articles/360008475454).
- __Cybereason__
For more information, see the [Cybereason documentation](https://support.demisto.com/hc/en-us/articles/360007903594).
- Added the following commands.
- ___cybereason-add-comment___
- ___cybereason-query-malops___
- ___cybereason-update-malop-status___
- ___cybereason-malop-processes___
- Added malops fetch.
- Added client-certificate authentication.
- __McAfee ESM v10__
Added the following commands.
- ___esm-get-alarm-event-details___
- ___esm-list-alarm-events___
- __GRR Rapid Response__
Improved property identifier to username. For more information, see the [GRR Rapid Response documentation](https://support.demisto.com/hc/en-us/articles/360008866593-GRR-Rapid-Response).
- __MISP__
Fix proxy parameter issue.
- __McAfee Advanced Threat Defense__
Deprecated several commands. You should use the relevant detonate playbook. For more information, see the [McAfee Advanced Threat Defense documentation](https://support.demisto.com/hc/en-us/articles/360005343954-McAfee-Advanced-Threat-Defense-ATD-).
- ___deprecate detonate-file___
- ___detonate-url commands___
- __McAfee NSM__
Added proxy support.
- __Okta__
Added the following commands. For more information, see the [Okta documentation](https://support.demisto.com/hc/en-us/articles/360007824353-Okta).
- ___okta-suspend-user___
- ___okta-unsuspend-user___
- __RSA NetWitness v11.1__
There are separate checkboxes to fetch incident data and to fetch alert data. If you want to fetch alert data, you need to select both checkboxes. For more information, see the [NetWitness v11 documentation](https://demisto.zendesk.com/hc/en-us/articles/360006756714).
- __Rapid7 Nexpose__
Added the ___nexpose-create-site___ command. For more information, see the [Rapid7 Nexpose documentation](https://support.demisto.com/hc/en-us/articles/360006756333-Rapid7-Nexpose).
- __Salesforce__
Added the ___salesforce-delete-case___ command. For more information, see the [Salesforce documentation](https://support.demisto.com/hc/en-us/articles/360001848133-Salesforce).
- __SplunkPy__
Fixed an encoding issue in the ___splunk-submit-event___ command.
- __Cisco Threat Grid__
Added the playbook parameter.
- __Tanium__
- Added the following commands.
- ___tn-ask-manual-question___
- ___tn-get-sensor___
- ___tn-get-action___
- Modified the ___tn-deploy-package___ command.
- Added sensor variables as an argument.
- Added action details to the outputs.
- Improved raw response.
- Modified the tn-get-package command.
- Added sensor variable to outputs.
- __urlscan.io__
Fixed the display for empty ASN.
- __VirusTotal__
ScanID will appear now in the context data instead of in the command war-room output.
- __CyberArk AIM__
Added the ___cyber-ark-aim-query___ command.
- __Atlassian Jira__
Improved the ___jira-edit-issue___ command. For more information, see the [Jira documentation](https://support.demisto.com/hc/en-us/articles/236000927-Jira).


---
Scripts

1 New Script
- __EncodeToAscii__
Input text data to encode as ASCII. (Ignores any chars that are not interpreted as ASCII).

13 Improved Scripts
- __D2O365ComplianceSearch__
Fixed the ___file argument not found___ error.
- __D2O365SearchAndDelete__
Fixed the ___file argument not found___ error.
- __DeleteContext__
- Changed user from limited user to DBot.
- Added support to keep keys from nested objects and auto-trim for context path.
- __DomainReputation__
Domain argument marked as default, so script can be executed as ehnancement on Domain indicators.
- __IsEmailAddressInternal__
Handled context to prevent duplicates.
- __IsValueInArray__
Improved support for manual execution (parse string array).
- __MatchRegex__
Added the option to return all matches.
- __PagerDutyAlertOnIncident__
Updated to match PagerDuty API v2.
- __PagerDutyAssignOnCallUser__
Updated to match PagerDuty API v2.
- __PanoramaBlockIP__
Fixed the output types.
- __ParseEmailFiles__
Fixed header parsing.
- __ParseCSV__
- Added the __entryID__ argument to get the file entry by ID.
- The __file__ argument is deprecated.
- __IsIPInRanges__
Improved handling of spaces and new lines in provided IP ranges string.
---
Incident Fields
Added the __In-Reply-To__ field to the incident details.

---
Classification & Mapping

New Classification & Mapping
- __Aella Starlight__

2 Improved Classification & Mapping
- __EWS v2__
Removed default mapping of __html-body__ to prevent the rendering of malicious links.
- __Gmail__
Gmail classifier.