Demisto-py

Demisto Content Release Notes for version 18.9.0 (12477)
Published on 04 September 2018
Integrations

3 New Integrations
- __PagerDuty v2__
Alert and notify users using PagerDuty. For more information, see the [PagerDuty documentation](https://support.demisto.com/hc/en-us/articles/360008517394-PagerDuty).
- __SCADAfence CNM__
Query and fetch data from SCADAfence CNM. For more information, see the [SCADAfence documentation](https://support.demisto.com/hc/en-us/articles/360008899633-SCADAfence-Continuous-Network-Monitor-CNM-).
- __Aella Starlight__
Pervasive breach detection system. For more information, see the [Aella Starlight documentation](https://support.demisto.com/hc/en-us/articles/360008872313-Aella-Starlight).

20 Improved Integrations
- __RSA Archer__
Passwords now support special characters.
- __Carbon Black Defense__
Improved outputs in the ___cbd-get-alerts-details___ command. For more information, see the [Carbon Black Defense documentation](https://support.demisto.com/hc/en-us/articles/360006171153-Carbon-Black-Defense).
- __CrowdStrike Falcon Host__
Improved outputs for the ___cs-device-search___ command. For more information, see the [CrowdStrike Falcon Host documentation](https://demisto.zendesk.com/hc/en-us/articles/360008475454).
- __Cybereason__
For more information, see the [Cybereason documentation](https://support.demisto.com/hc/en-us/articles/360007903594).
- Added the following commands.
- ___cybereason-add-comment___
- ___cybereason-query-malops___
- ___cybereason-update-malop-status___
- ___cybereason-malop-processes___
- Added malops fetch.
- Added client-certificate authentication.
- __McAfee ESM v10__
Added the following commands.
- ___esm-get-alarm-event-details___
- ___esm-list-alarm-events___
- __GRR Rapid Response__
Improved property identifier to username. For more information, see the [GRR Rapid Response documentation](https://support.demisto.com/hc/en-us/articles/360008866593-GRR-Rapid-Response).
- __MISP__
Fix proxy parameter issue.
- __McAfee Advanced Threat Defense__
Deprecated several commands. You should use the relevant detonate playbook. For more information, see the [McAfee Advanced Threat Defense documentation](https://support.demisto.com/hc/en-us/articles/360005343954-McAfee-Advanced-Threat-Defense-ATD-).
- ___deprecate detonate-file___
- ___detonate-url commands___
- __McAfee NSM__
Added proxy support.
- __Okta__
Added the following commands. For more information, see the [Okta documentation](https://support.demisto.com/hc/en-us/articles/360007824353-Okta).
- ___okta-suspend-user___
- ___okta-unsuspend-user___
- __RSA NetWitness v11.1__
There are separate checkboxes to fetch incident data and to fetch alert data. If you want to fetch alert data, you need to select both checkboxes. For more information, see the [NetWitness v11 documentation](https://demisto.zendesk.com/hc/en-us/articles/360006756714).
- __Rapid7 Nexpose__
Added the ___nexpose-create-site___ command. For more information, see the [Rapid7 Nexpose documentation](https://support.demisto.com/hc/en-us/articles/360006756333-Rapid7-Nexpose).
- __Salesforce__
Added the ___salesforce-delete-case___ command. For more information, see the [Salesforce documentation](https://support.demisto.com/hc/en-us/articles/360001848133-Salesforce).
- __SplunkPy__
Fixed an encoding issue in the ___splunk-submit-event___ command.
- __Cisco Threat Grid__
Added the playbook parameter.
- __Tanium__
- Added the following commands.
- ___tn-ask-manual-question___
- ___tn-get-sensor___
- ___tn-get-action___
- Modified the ___tn-deploy-package___ command.
- Added sensor variables as an argument.
- Added action details to the outputs.
- Improved raw response.
- Modified the tn-get-package command.
- Added sensor variable to outputs.
- __urlscan.io__
Fixed the display for empty ASN.
- __VirusTotal__
ScanID will appear now in the context data instead of in the command war-room output.
- __CyberArk AIM__
Added the ___cyber-ark-aim-query___ command.
- __Atlassian Jira__
Improved the ___jira-edit-issue___ command. For more information, see the [Jira documentation](https://support.demisto.com/hc/en-us/articles/236000927-Jira).


---
Scripts

1 New Script
- __EncodeToAscii__
Input text data to encode as ASCII. (Ignores any chars that are not interpreted as ASCII).

13 Improved Scripts
- __D2O365ComplianceSearch__
Fixed the ___file argument not found___ error.
- __D2O365SearchAndDelete__
Fixed the ___file argument not found___ error.
- __DeleteContext__
- Changed user from limited user to DBot.
- Added support to keep keys from nested objects and auto-trim for context path.
- __DomainReputation__
Domain argument marked as default, so script can be executed as ehnancement on Domain indicators.
- __IsEmailAddressInternal__
Handled context to prevent duplicates.
- __IsValueInArray__
Improved support for manual execution (parse string array).
- __MatchRegex__
Added the option to return all matches.
- __PagerDutyAlertOnIncident__
Updated to match PagerDuty API v2.
- __PagerDutyAssignOnCallUser__
Updated to match PagerDuty API v2.
- __PanoramaBlockIP__
Fixed the output types.
- __ParseEmailFiles__
Fixed header parsing.
- __ParseCSV__
- Added the __entryID__ argument to get the file entry by ID.
- The __file__ argument is deprecated.
- __IsIPInRanges__
Improved handling of spaces and new lines in provided IP ranges string.
---
Incident Fields
Added the __In-Reply-To__ field to the incident details.

---
Classification & Mapping

New Classification & Mapping
- __Aella Starlight__

2 Improved Classification & Mapping
- __EWS v2__
Removed default mapping of __html-body__ to prevent the rendering of malicious links.
- __Gmail__
Gmail classifier.

Demisto Content Release Notes for version 18.8.2 (11982)
Published on 21 August 2018
Integrations

2 New Integrations
- __Gmail__
Search and process emails in the organizational Gmail mailboxes.
- __FireEye ETP__
FireEye Email Threat Prevention (ETP Cloud) is a cloud-based platform that protects against advanced email attacks. For more information, see the [FireEye ETP documentation](https://support.demisto.com/hc/en-us/articles/360007393074).

5 Improved Integrations
- __Moloch__
Updated the ___moloch_sessions_json___ command. For more information, see the [Moloch documentation](https://support.demisto.com/hc/en-us/articles/360008344133).
- Returns http method and status code.
- Follows the new API structure.
- __Shodan__
Made several enhancements to this integration. For more information, see the [Shodan documentation](https://support.demisto.com/hc/en-us/articles/360008183414).
- Added error handling of 404 error responses.
- Enhanced human readable output for the ___ip___ command.
- __Zscaler__
- Added the ___zscaler-get-categories___ command.
- Improved support for custom categories.
- __Cisco Threat Grid__
Added the ___playbook___ argument to the ___threat-grid-upload-sample___ command.
- __Atlassian Jira__
Added new commands.
- ___jira-edit-issue___
- ___jira-get-comments___


---
Scripts

3 New Scripts
- __DBotClosedIncidentsPercentage__
Data output script for populating a dashboard pie graph widget with the percentage of incidents closed by DBot vs. incidents closed by analysts. See the corresponding ___Closed by DBot___ widget in the Widgets section.
- __DemistoGetIncidentTasksByState__
Get all tasks for a specific incident according to the incident state.
- __ShowScheduledEntries__
Display all scheduled entries for a specific incident.

6 Improved Scripts
- __DeleteContext__
Added the ability to delete a specific index in a key.
- __ParseCSV__
Fixed a unicode encoding issue.
- __TopMaliciousRatioIndicators__
Improved handling of duplicate indicators.
- __FindSimilarIncidents__
Enhanced the output declaration.
- __FindSimilarIncidentsByText__
Enhanced the output declaration.
- __GetDuplicatesMlv2__
Enhanced the output declaration.


---
Playbooks

3 New Playbooks
- __File Enrichment - File reputation__
Get the reputation for a file using one or more integrations.
- __File Enrichment - Virus Total Private API__
Get file information using the Virus Total Private API integration.
- __Get Original Email - Generic__
Use this playbook to retrieve the original email in the thread, including headers and attachments, when the reporting user forwarded the original email not as an attachment. This playbook contains the following sub-playbooks:
- __Get Original Email - EWS__
- __Get Original Email - Gmail__

5 Improved Playbooks
- __File Enrichment - Generic__
Added support for the VirusTotal Private API and Palo Alto Application Framework integrations.
- __Domain Enrichment - Generic__
Added support for the VirusTotal Private API integration.
- __IP Enrichment - Generic__
Added support for the VirusTotal Private API integration.
- __URL Enrichment - Generic__
Added support for the VirusTotal Private API integration.
- __Process Email - Generic__
Added support for retrieving the original email from both EWS and Gmail mail services.

---
Widgets

New Widget
- __Closed By DBot__
Displays the percentage of incidents handled and closed by DBot, without an assigned owner, across all incidents in the specified time period.

Classification & Mapping

New Classification & Mapping
- __Gmail__
Added Phishing mapping for Gmail Mapping.

Demisto Content Release Notes for version 18.8.1 (11545)
Published on 09 August 2018
Integrations
4 New Integrations
- __AlphaSOC Network Behavior Analytics__
Retrieve alerts from the AlphaSOC Analytics Engine. For more information, see the [AlphaSOC Network Behavior Analysis documentation](https://support.demisto.com/hc/en-us/articles/360007796993).
- __JASK__
Freeing the analyst with autonomous decisions. For more information, see the [JASK documentation](https://support.demisto.com/hc/en-us/articles/360007688894).
- __Palo Alto AppFramework__
This framework manages all Palo Alto Networks cloud managed products. For more information, see the [Palo Alto AppFramework documentation](https://support.demisto.com/hc/en-us/articles/360004173094).
- __VirusTotal - Private API__
Analyze suspicious hashes, URLs, domains, and IP addresses. For more information, see the [Virus Total - Private API documentation](https://support.demisto.com/hc/en-us/articles/360006427934).
12 Improved Integrations
- __ServiceNow__
Added the ___servicenow-get-computer___ command.
- __SplunkPy__
Improved handling of same key in ____raw___ event in parseNotableEventsRaw.
- __Okta__
Added new commands.
- ___list-groups___
- ___get-groups-members___
Added several arguments for other groups commands.
- __urlscan.io__
Improved DBotScore calculation.
- __ipinfo__
Improved DBotScore calculation.
- __VirusTotal__
- Enhanced outputs for the ___ip___, ___domain___, and ___file___ commands.
- Added support for scans table as output in the ___file___ and ___url___ commands.
- __Zscaler__
Added 4 new commands. For more information, see the [Zscaler documentation](https://support.demisto.com/hc/en-us/articles/115005074314).
- ___zscaler-category-add-url___
- ___zscaler-category-add-ip___
- ___zscaler-category-remove-url___
- ___zscaler-category-remove-ip___
- __FireEye (AX Series)__
Added the ___submit-url___ command.
- __Atlassian Jira__
Added support for sub-task creation. For more information, see the [Jira documentation](https://support.demisto.com/hc/en-us/articles/236000927).
- __OPSWAT-Metadefender__
Added support for Metadefender on cloud.
- __FireEye (AX Series)__
Added the ___submit-url___ command.
- __Joe Security__
Added support for multiple values in the ___submit___ and ___info___ commands.
---
Scripts
3 New Scripts
- __GenericPollingScheduledTask__
Runs the polling command repeatedly, completes a blocking manual task when polling is complete.
- __GetDuplicatesMlv2__
Find duplicate incident candidates using machine learning techniques with pre-defined data.
- __PrintErrorEntry__
Prints an error entry with a customizable message.
1 Improved Script
- __FindSimilarIncidentsByText__
- Support for multiple time fields.
- Support for custom text length.
1 Deprecated Script
- __GetDuplicatesMl__
Use the ___GetDuplicatesMlv2___ script instead.
---
Playbooks
New Playbook
- __Dedup - Generic__
Generic playbook to find duplicate incidents with one of the methods we have.

8 Improved Playbook
- __Process Email - Generic__
Auto-extract indicators from emails (inline).
- __Entity Enrichment - Generic__
Added support for the VirusTotal Private API and Palo Alto Application Framework integrations.
- __File Enrichment - Generic__
Added support for the VirusTotal Private API and Palo Alto Application Framework integrations.
- __URL Enrichment__
Added support for the VirusTotal Private API integration.
- __IP Enrichment__
Added support for the VirusTotal Private API integration.
- __Domain Enrichment__
Added support for the VirusTotal Private API integration.
- __Phishing Investigation - Generic__
Added support for indicators extraction from files.
- __McAfee ATD Detonate File__
This playbook was added back to Demisto.
---

Demisto Content Release Notes for version 18.8.0 (11465)
Published on 08 August 2018
Integrations
4 New Integrations
- __AlphaSOC Network Behavior Analytics__
Retrieve alerts from the AlphaSOC Analytics Engine. For more information, see the [AlphaSOC Network Behavior Analysis documentation](https://support.demisto.com/hc/en-us/articles/360007796993).
- __JASK__
Freeing the analyst with autonomous decisions. For more information, see the [JASK documentation](https://support.demisto.com/hc/en-us/articles/360007688894).
- __Palo Alto AppFramework__
This framework manages all Palo Alto Networks cloud managed products. For more information, see the [Palo Alto AppFramework documentation](https://support.demisto.com/hc/en-us/articles/360004173094).
- __VirusTotal - Private API__
Analyze suspicious hashes, URLs, domains, and IP addresses. For more information, see the [Virus Total - Private API documentation](https://support.demisto.com/hc/en-us/articles/360006427934).
14 Improved Integrations
- __ServiceNow__
Added the ___servicenow-get-computer___ command.
- __SplunkPy__
Improved handling of same key in ____raw___ event in parseNotableEventsRaw.
- __Okta__
Added new commands.
- ___list-groups___
- ___get-groups-members___
Added several arguments for other groups commands.
- __urlscan.io__
Improved DBotScore calculation.
- __ipinfo__
Improved DBotScore calculation.
- __VirusTotal__
- Enhanced outputs for the ___ip___, ___domain___, and ___file___ commands.
- Added support for scans table as output in the ___file___ and ___url___ commands.
- __Zscaler__
Added 4 new commands. For more information, see the [Zscaler documentation](https://support.demisto.com/hc/en-us/articles/115005074314).
- ___zscaler-category-add-url___
- ___zscaler-category-add-ip___
- ___zscaler-category-remove-url___
- ___zscaler-category-remove-ip___
- __FireEye (AX Series)__
Added the ___submit-url___ command.
- __Atlassian Jira__
Added support for sub-task creation. For more information, see the [Jira documentation](https://support.demisto.com/hc/en-us/articles/236000927).
- __OPSWAT-Metadefender__
Added support for Metadefender on cloud.
- __Rapid7 Nexpose__
Added scan functionality using Nexpose Scan Site/Assests sub-playbooks.
- __FireEye (AX Series)__
Added the ___submit-url___ command.
- __Joe Security__
Added support for multiple values in the ___submit___ and ___info___ commands.
- __Carbon Black Enterprise Live Response__
Added explicit Carbon Black Live Response commands.
- ___cb-process-kill___
- ___cb-process-execute___
- ___cb-memdeump___
- ___cb-command-create___
- ___cb-file-delete-from-endpoint___
- ___cb-registry-query-value___
- ___cb-registry-create-key___
- ___cb-registry-delete-key___
- ___cb-registry-delete-value___
- ___cb-registry-set-value___
- ___cb-process-list___
- ___cb-get-file-from-endpoint___
- ___cb-push-file-to-endpoint___
---
Scripts
3 New Scripts
- __GenericPollingScheduledTask__
Runs the polling command repeatedly, completes a blocking manual task when polling is complete.
- __GetDuplicatesMlv2__
Find duplicate incident candidates using machine learning techniques with pre-defined data.
- __PrintErrorEntry__
Prints an error entry with a customizable message.
1 Improved Script
- __FindSimilarIncidentsByText__
- Support for multiple time fields.
- Support for custom text length.
1 Deprecated Script
- __GetDuplicatesMl__
Use the ___GetDuplicatesMlv2___ script instead.
---
Playbooks
New Playbook
- __Dedup - Generic__
Generic playbook to find duplicate incidents with one of the methods we have.

6 Improved Playbook
- __Process Email - Generic__
Auto-extract indicators from emails (inline).
- __Entity Enrichment - Generic__
Added support for the VirusTotal Private API and Palo Alto Application Framework integrations.
- __File Enrichment - Generic__
Added support for the VirusTotal Private API and Palo Alto Application Framework integrations.
- __URL Enrichment__
Added support for the VirusTotal Private API integration.
- __IP Enrichment__
Added support for the VirusTotal Private API integration.
- __Domain Enrichment__
Added support for the VirusTotal Private API integration.

---

Demisto Content Release Notes for version 18.7.3 (11000)
Published on 26 July 2018
Integrations
2 New Integrations
- __McAfee Advanced Threat Defense__
Integrated advanced threat detection and enhancing protection from network edge to endpoint.
- __Palo Alto - Minemeld__
Orchestrate threat intelligence and enforce new prevention-based controls.
6 Improved Integrations
- __PassiveTotal__
Improved handling of missing tag parameters.
- __Demisto Lock__
Increased the default timeout to 600 seconds.
- __Demisto REST API__
Added support for responses other than JSON.
- __Okta__
Changed the _proxy_ parameter from short text to boolean.
- __Symantec Managed Security Services__
- Severities for fetching incidents are now a configurable parameter.
- Fixed the incident occurrence time.
- __Cisco Threat Grid__
Added two new commands.
- ___threat-grid-detonate-file___
- ___threat-grid-url-to-file commands___
---
Scripts
2 New Scripts
- __DocumentationAutomation__
Automates integration documentation.
- __SSDeepReputation__
Calculates ssdeep reputation based on similar files (ssdeep similarity) in the system.
4 Improved Scripts
- __DeleteContext__
Added the ability to specify which context keys to retain when deleting all context.
- __DisplayHTML__
Fixed script execution when ___markAsNote___ was not defined.
- __ExportToCSV__
Modified to support more inputs.
- __ExposeIncidentOwner__
The script can now handle usernames that include a backslash.
---
Playbooks
New Playbooks
- __ATD - Detonate File__
Detonate a file using McAfee ATD.
2 Improved Playbooks
- __DeDup incidents__
Renamed the playbook.
- __Detonate File - Generic__
Added the ___detonate-file___ command in McAfee ATD.
---
Reputations
2 New Reputations
- Extract the domain from URLs.
- Added ssdeep reputation.

Demisto Content Release Notes for version 18.7.2 (10920)
Published on 24 July 2018
Integrations
2 New Integrations
- __RTIR__
Request Tracker for Incident Response (RTIR) is a ticketing system that provides pre-configured queues and workflows designed for incident response teams. For more information, see the [RTIR documentation](https://demisto.zendesk.com/hc/en-us/articles/360007258354).
- __Zoom__
Cloud-based enterprise video and audio conferencing. For more information, see the [Zoom documentation](https://support.demisto.com/hc/en-us/articles/360007369253).

11 Improved Integrations
- __ArcSight ESM__
Improved the ___as-add-entries___ command to support passing entries' array from context.
- __EWS v2__
The integration now handles unnamed attachments.
- __Passive Total__
Several integration improvements.
- Added support for proxy connections and insecure connections.
- Added support for ___id___ and ___domain___.
- The ___url___ command score is now based on ___pt-enrichment___, according to tags or classification.
- __Proofpoint TAP__
You can now specify which event types to fetch.
- __SentinelOne__
Updated the default API to v2.0.
- __SplunkPy__
Fixed a SplunkPy proxy issue.
- __Twilio__
When you test the integration instance, only credentials are checked.
- __FireEye (AX Series)__
Added functionality to submit URLs to FireEye and retrieve their status.
- ___fe-submit-url___
- ___fe-submit-url-status___
- __RSA NetWitness Security Analytics__
Added 50 incident maximum per fetch from Netwitness.
- __Rasterize__
Added base64 output to the ___rasterize-email___ command.
- __AlienVault OTX__
Removed DBot Score outputs.
---
Scripts
2 New Scripts
- __FilterByList__
Checks whether a specified item is in a list. The default list is the Demisto Indicators Whitelist.
- __RepopulateFiles__
After running _DeleteContext_, this script can repopulate all of the file entries in the ${File} context key.
2 Improved Scripts
- __CrowdStrikeUrlParse__
ID is detected using a build number, which consists of digits (0-9) and has no length limitation.
- __ParseEmailFiles__
- Added support for SMTP mail text and ASCII text files.
- Fixed a bug in email address parsing.
1 Deprecated Script
- __CheckWhitelist__
Use the ___FilterByWhitelist___ script.
---
Playbooks
2 Improved Playbooks
- __Vulnerability Management - Nexpose (Job)__
- Removed built-in hostname.
- Added a task that closes the investigation when the job completes.
- __Process Email - Generic__
Upload HTML-rendered image to the Summary page.

---
Widgets

2 Improved Widgets
- __Server CPU Usage % (last 24h)__
Added support for data from the previous 24 hours.
- __Server Memory Usage % (last 24h)__
Added support for data from the previous 24 hours.
---
Incident Fields
1 New Incident Field
- Added HTML Image field.

---
Incident Layouts

1 Improved Incident Layout
- __Phishing - Summary__
Added HTML Image field.