Demisto-py

Demisto Content Release Notes for version 18.7.1 (10607)
Published on 11 July 2018

Fixes

2 General Fixes
- In the Phishing Investigation - Generic playbook, a task fails due to missing incident fields.
- Added the Domain formatting script.

Integrations

4 New Integrations
- __Mail Sender (New)__
Send Python-implemented emails with support for embedded images. For more information, see the [Mail Sender (New) documentation](https://support.demisto.com/hc/en-us/articles/360006265573).
- __RedLock__
Cloud threat defense. For more information, see the [RedLock documentation](https://support.demisto.com/hc/en-us/articles/360006648773).
- __Rapid7 Nexpose__
Rapid7's on-premise vulnerability management solution. For more information, see the [Nexpose documentation](https://support.demisto.com/hc/en-us/articles/360006756333-Nexpose).
- __Recorded Future__
Unique threat intelligence technology that automatically serves up relevant insights in real time. For more information, see the [Recorded Future documentation](https://support.demisto.com/hc/en-us/articles/360006572474).

13 Improved Integrations
- __CrowdStrike Falcon Sandbox__
Added support for single-server setup.
- __Cylance Protect v2__
In context, device data outputs are now under path Endpoint.
- __Farsight DNSDB__
- Improved error handling for 400 and 404 responses.
- Improved human readable output.
- __EWS v2__
Fixed handling of attachments with empty name or content.
- __ipinfo__
Added support to use API token for paid plans.
- __PostgreSQL__
Fixed the ___no rows returned___ error.
- __Tanium__
Fixed Tanium timeout on errors.
- __VMware__
Fixed VMware timeout on errors.
- __CrowdStrike Falcon Intel__
Added support for v2 indicator API. For more information, see the [CrowdStrike Falcon Intelligence v2 documentation](https://support.demisto.com/hc/en-us/articles/360006777013-CrowdStrike-Falcon-Intelligence-v2).
- __TruSTAR__
Added priority level and deep links to the ___related-indicators___ command.
- __AWS - EC2__
Added 6 new commands:
- ___aws-ec2-copy-image___
- ___aws-ec2-copy-snapshot___
- ___aws-ec2-describe-reserved-instances___
- ___aws-ec2-monitor-instances___
- ___aws-ec2-unmonitor-instances___
- ___aws-ec2-reboot-instances___.
- __Palo Alto WildFire__
Handled the missing report exception for the ___wildfire-report___ command.
- __Demisto REST API__
Added the ___demisto-api-multipart___ and the ___demisto-api-download___ commands to upload and download files from Demisto server.

---
Scripts

4 New Scripts
- __IPToHost__
Get the hostname correlated with the input IP.
- __NexposeCreateIncidentsFromAssets__
Create incidents based on the Nexpose asset ID and vulnerability ID.
- __DemistoLogsBundle__
Imports the Demisto Log Bundle to the current War Room.
- __DemistoUploadFile__
Upload a file from the current incident's War Room to another incident's War Room.

2 Improved Scripts
- __EmailAskUser__
Added ___cc___ and ___bcc___ arguments.
- __ExtractDomainFromUrlAndEmail__
Avoid error in domain format script.

---
Playbooks

4 New Playbooks
- __Access Investigation - Generic__
Investigate an access incident by gathering user and IP information.
- __Access Investigation - QRadar__
Use the QRadar integration to investigate an access incident by gathering user and IP information.
- __Vulnerability Handling - Nexpose__
Manage vulnerability remediation using Nexpose data, and optionally enrich data with 3rd-party tools.
- __Vulnerability Management - Nexpose (Job)__
Manage assets' vulnerabilities using Rapid7 Nexpose.

5 Improved Playbooks
- __Calculate Severity - 3rd-party integrations__
Added support for Nexpose severity.
- __Calculate Severity - Generic__
Added support for Nexpose severity.
- __IP Enrichment - Generic__
Added ip to host capability.
- __Process Email - Generic__
This is now a generic playbook, and supports all relevant integrations (not only EWS).
- __Tanium Demo Playbook__
Removed the deploy action command at the end of the playbook.

Demisto Content Release Notes for version 18.7.0 (10573)
Published on 10 July 2018
Integrations

4 New Integrations
- __Mail Sender (New)__
Send Python-implemented emails with support for embedded images. For more information, see the [Mail Sender (New) documentation](https://support.demisto.com/hc/en-us/articles/360006265573).
- __RedLock__
Cloud threat defense. For more information, see the [RedLock documentation](https://support.demisto.com/hc/en-us/articles/360006648773).
- __Rapid7 Nexpose__
Rapid7's on-premise vulnerability management solution. For more information, see the [Nexpose documentation](https://support.demisto.com/hc/en-us/articles/360006756333-Nexpose).
- __Recorded Future__
Unique threat intelligence technology that automatically serves up relevant insights in real time. For more information, see the [Recorded Future documentation](https://support.demisto.com/hc/en-us/articles/360006572474).

12 Improved Integrations
- __CrowdStrike Falcon Sandbox__
Added support for single-server setup.
- __Cylance Protect v2__
In context, device data outputs are now under path Endpoint.
- __Farsight DNSDB__
- Improved error handling for 400 and 404 responses.
- Improved human readable output.
- __EWS v2__
Fixed handling of attachments with empty name or content.
- __ipinfo__
Added support to use API token for paid plans.
- __PostgreSQL__
Fixed the ___no rows returned___ error.
- __Tanium__
Fixed Tanium timeout on errors.
- __VMware__
Fixed VMware timeout on errors.
- __CrowdStrike Falcon Intel__
Added support for v2 indicator API. For more information, see the [CrowdStrike Falcon Intelligence v2 documentation](https://support.demisto.com/hc/en-us/articles/360006777013-CrowdStrike-Falcon-Intelligence-v2).
- __TruSTAR__
Added priority level and deep links to the ___related-indicators___ command.
- __AWS - EC2__
Added 6 new commands:
- ___aws-ec2-copy-image___
- ___aws-ec2-copy-snapshot___
- ___aws-ec2-describe-reserved-instances___
- ___aws-ec2-monitor-instances___
- ___aws-ec2-unmonitor-instances___
- ___aws-ec2-reboot-instances___.
- __Palo Alto WildFire__
Handled missing report exception at ___wildfire-report___ command.

---
Scripts

2 New Scripts
- __IPToHost__
Get the hostname correlated with the input IP.
- __NexposeCreateIncidentsFromAssets__
Create incidents based on the Nexpose asset ID and vulnerability ID.

2 Improved Scripts
- __EmailAskUser__
Added ___cc___ and ___bcc___ arguments.
- __ExtractDomainFromUrlAndEmail__
Avoid error in domain format script.

---
Playbooks

4 New Playbooks
- __Access Investigation - Generic__
Investigate an access incident by gathering user and IP information.
- __Access Investigation - QRadar__
Use the QRadar integration to investigate an access incident by gathering user and IP information.
- __Vulnerability Handling - Nexpose__
Manage vulnerability remediation using Nexpose data, and optionally enrich data with 3rd-party tools.
- __Vulnerability Management - Nexpose (Job)__
Manage assets' vulnerabilities using Nexpose.

5 Improved Playbooks
- __Calculate Severity - 3rd-party integrations__
Added support for Nexpose severity.
- __Calculate Severity - Generic__
Added support for Nexpose severity.
- __IP Enrichment - Generic__
Added ip to host capability.
- __Process Email - Generic__
This is now a generic playbook, and supports all relevant integrations (not only EWS).
- __Tanium Demo Playbook__
Removed the deploy action command at the end of the playbook.

Demisto Content Release Notes for version 18.6.1 (10262)
Published on 26 June 2018
Integrations

2 New Integrations
- __AlphaSOC Wisdom__
Manage DNS and IP threat intelligence using the AlphaSOC platform. For more information, see the [AlphaSOC documentation](https://support.demisto.com/hc/en-us/articles/360006166134).
- __Demisto Lock__
Locking mechanism that prevents concurrent execution of different tasks. For more information, see the [Demisto Lock documentation](https://support.demisto.com/hc/en-us/articles/360006245733).

9 Improved Integrations
- __Demisto REST API__
Added support for responses other than JSON.
- __EWS v2__
When searching all mailboxes, mailboxes without mailboxId are now skipped.
- __Lastline__
Fixed the _lastline-upload_ command.
- __SplunkPy__
Fixed the issue in which the _splunk-notable-event-edit_ command took proxy settings when not required.
- __Symantec MSS__
Severity levels for fetching incidents are now a configurable parameter.
Fixed incident occurrence time.
For more information, see the [Symantec documentation](https://support.demisto.com/hc/en-us/articles/115004526713).
- __VxStream__
Added the following items to this integration.
- _submit-file-by-url_ command
- DBot Score support
- Improved handling of empty results returned from the _scan_ command.
- __Intezer__
Added the _intezer-upload_ command. For more information, see the [Intezer documentation](https://support.demisto.com/hc/en-us/articles/360006292853).
- __Carbon Black Defense__
Added outputs to _cbd-get-alert-details_.
- __RSA NetWitness Packets and Logs__
Updated argument types.
---
Scripts

2 New Scripts
- __ExtractDomainFromUrlAndEmail__
Extract the domain from a URL or email.
- __SplunkPySearch__
Run a query through Splunk and format the results as a table.

4 Improved Scripts
- __DisplayHTML__
Fixed script execution in cases that _markAsNote_ was not defined.
- __ExposeIncidentOwner__
Handling usernames that include backslash.
- __QRadarFullSearch__
Removed the _auto-log_ line.
- __BuildEWSQuery__
Added parameter for stripping the subject from prefixes.

---
Playbooks

1 New Playbook
- __DeDup incidents__
Checks the current incident for duplicate incidents and closes any duplicates.

2 Improved Playbooks
- __CrowdStrike Falcon Sandbox - Detonate file__
Added support for this command to the upgraded integration.
- __Search And Delete Emails - EWS__
Added the _target-mail-box_ input parameter to the _Delete emails from EWS_ task.

---
Reputations
2 New Reputations
- Extract the domain from URLs.
- Added ssdeep reputation.

Demisto Content Release Notes for version 18.6.0 (9870)
Published on 13 June 2018
Integrations

7 New Integrations
- __IBM Resilient Systems__
Case management that enables visibility across your tools for continual IR improvement. For more information, see the [IBM Resilient Systems documentation](https://support.demisto.com/hc/en-us/articles/360005831053).
- __Dell SecureWorks__
Handle tickets in SecureWorks. For more information, see the [Dell SecureWorks documentation](https://support.demisto.com/hc/en-us/articles/360004106474).
- __AWS - EC2__
Amazon Web Services Elastic Compute Cloud (EC2). For more information, see the [AWS EC2 documentation](https://demisto.zendesk.com/hc/en-us/articles/360005580234).
- __AWS - GuardDuty__
Amazon Web Services Guard Duty Service (gd). For more information, see the [AWS GuardDuty documentation](https://support.demisto.com/hc/en-us/articles/360005817333).
- __AWS - IAM__
Amazon Web Services Identity and Access Management (IAM). For more information, see the [AWS IAM documentation](https://demisto.zendesk.com/hc/en-us/articles/360005507193).
- __AWS - Route53__
Amazon Web Services Managed Cloud DNS Service. For more information, see the [AWS Route 53 documentation](https://support.demisto.com/hc/en-us/articles/360005419254).
- __AWS - SQS__
Amazon Web Services Simple Queuing Service (SQS). For more information, see the [AWS SQS documentation](https://support.demisto.com/hc/en-us/articles/360004122933).

5 Improved Integrations
- __EWS Mail Sender__
Solved the ___error_message not defined___ issue.
- __AWS - S3__
Changed authentication method to STS assumerole. For more information, see the [AWS S3 documentation](https://support.demisto.com/hc/en-us/articles/360001941113).
- __EWS v2__
This integration can now handle errors when moving an item between mailboxes using impersonation. For more information, see the [EWS Mail Sender documentation](https://support.demisto.com/hc/en-us/articles/360002253814-EWSv2).
- __Rasterize__
Improved __Test__ button functionality.
- __Cisco Umbrella Investigate__
Fixed categorization false positive.

---
Scripts

2 New Scripts
- __CrowdStrikeUrlParse__
Parse a CrowdStrike alert URL, extract the Agent ID, and pass to the ___cs-device-details___ command to return device details.
- __DecodeMimeHeader__
Decode MIME base64 headers.

12 Improved Scripts
- __BuildEWSQuery__
- Converted to Python.
- Added output context.
- Added support for query limitation.
- __EmailAskUserResponse__
This script can now handle BR tags in an HTML response.
- __FindSimilarIncidents__
This script can now:
- Handle exceptions for empty results.
- Support more than one incident key.
- Support multiple date formats.
- __ParseEmailFiles__
You can now print both text and HTML body parts in a War Room entry.
- __Strings__
Improved handling of text files.
- __SetDateField__
Changed the ___SetDateField___ time format, to correctly include year.
- __IncidentSet__
Deprecated - use the ___setIncident___ command instead.

Better error handling for:
- __DomainReputation__
- __EmailReputation__
- __FileReputation__
- __IPReputation__
- __URLReputation__

---
Playbooks

6 New Playbooks
- __Calculate Severity - 3rd-party integrations__
Calculates the incident severity level according to the methodology of a 3rd-party integration.
- __Calculate Severity - Critical assets__
Determines if a critical asset is associated with the investigation. The playbook returns a severity level of ___Critical___ if a critical asset is associated with the investigation.
- __Calculate Severity - Indicators DBotScore__
Calculates the incident severity level according to the highest indicator DBotScore.
- __Search And Delete Emails - EWS__
This playbook searches EWS to identify and delete emails with similar attributes of a malicious email.
- __Search And Delete Emails - Generic__
This playbook searches and deletes emails with similar attributes of a malicious email.

2 Improved Playbooks
- __Calculate Severity - Generic__
Separated playbook logic into sub-playbooks, and improved documentation.
- __Phishing Investigation - Generic__
Added a response section, including support for search and delete malicious emails.

---
Incident Layouts

New Incident Layouts
- __Malware__
New Summary and New/Edit layout for malware.

---
Classification & Mapping

New Classification & Mapping
- __crowdstrike-streaming-api__
Added Malware mapping for CrowdStrike Mapping.

Improved Classification & Mapping
- __SplunkPy__
Added Malware mapping.

Demisto Content Release Notes for version 18.5.4 (9454)
Published on 29 May 2018
Integrations

2 New Integrations
- __ReversingLabs A1000__
ReversingLabs A1000 Malware Analysis Platform.
- __ReversingLabs Titanium Cloud__
ReversingLabs Data provides malware status of the sample.

8 Improved Integrations
- __Carbon Black Enterprise Live Response__
Added an option to configure instances with Carbon Black Defense credentials.
- __FalconHost__
Added context output for _cs-device-details_ command.
- __Cybereason__
Improved the query sent in _query-connections_, added outputs to _is-probe-connected_ and removed _login_ command.
- __Cylance Protect v2__
Added DBotScore support including file threshold to set malicious files.
- __EWS v2__
Added _ews-move-between-mailboxes_ command. When fetching emails, email attachments will be saved in the war-room. _ews-get-attachment_ on an attached email message (ItemAttachment) will now save it and all of it's attachments as downloadable files to the warroom.
- __QRadar__
Fixed upgrade issue for fetch incidents.
- __WildFire__
Added verification for MD5/SHA256 arguments.
- __Jira__
Added option to use proxy.

---
Scripts

3 New Scripts
- __DisplayHTML__
Displays HTML in the War Room.
- __QualysCreateIncidentFromReport__
Create incidents from a Qualys report (XML), based on the Qualys asset ID and vulnerability ID (QID).
- __SetDateField__
Sets a custom incident-field with current date.

Improved Scripts
- __EmailAskUser__
Added support for parallel execution of the script, with better error handling.

---
Playbooks

9 New Playbooks
- __CVE Enrichment - Generic__
Enrich CVE using one or more integrations.
- __Vulnerability Handling - Qualys__
Manage vulnerability remediation using Qualys data, and optionally enrich data with 3rd-party tools.
- __Vulnerability Handling - Qualys - Add custom fields to default layout__
Add information about the vulnerability and asset from the "Vulnerability Handling - Qualys" playbook data to the default "Vulnerability" layout.
- __Vulnerability Management - Qualys (Job)__
Use the latest Qualys report to manage vulnerabilities.

Improved Playbooks
- __Calculate Severity - Generic__
Added support for Qualys.
- __Domain Enrichment - Generic__
Enrich Domain using one or more integrations.
- __Email Address Enrichment - Generic__
Get email address reputation using one or more integrations.
- __File Enrichment - Generic__
Get file reputation using one or more integrations.
- __IP Enrichment - Generic__
Enrich IP using one or more integrations.
- __URL Enrichment - Generic__
Enrich URL using one or more integrations.

Added support for auto-extract for the following playbooks:
- __Domain Enrichment - Generic__
- __Email Address Enrichment - Generic__
- __File Enrichment - Generic__
- __IP Enrichment - Generic__
- __URL Enrichment - Generic__

---
Incident Fields
Add default Vulnerability fields.

---
Incident Layouts

New Incident Layouts
- __Vulnerability__ - Summary and New/Edit default layouts

---
Reputations
Add Domain reputation type.

Demisto Content Release Notes for version 18.5.3 (9191)
Published on 14 May 2018

Integrations

2 New Integrations
- __Amazon SQS__
Manage messages in your Amazon SQS environment.
- __SafeBreach__
SafeBreach simulates attacks across the kill chain, to validate security policy, configuration, and effectiveness.

2 Improved Integrations
- __CrowdStrike Falcon Sandbox__
Upgraded to API v2 and added the following commands: _get-screenshots_, _submit-url_, _file_ and _detonate-url_
- __FireEye HX__
Add option to acquire files using the API.

You can now specify the threshold value for malicious indicators as an instance parameter.
- __VirusTotal__
- __XFE__




Playbooks


4 Improved Playbooks
- __Malware Investigation - Generic__
You can now investigate malware using one or more integrations.
- __Entity Enrichment - Generic__
Added support for auto extract.
- __Malware Investigation - Generic__
Added support for auto extract.
- __Phishing Investigation - Generic__
Added support for auto extract.
- __Process Email - Generic__
Added support for EWS and Phishing default mapping.

Scripts

New Scripts
- __FindSimilarIncidentsByText__
Find similar incidents by text comparison - the algorithm is based on TF-IDF method.
To read more about this method: https://en.wikipedia.org/wiki/Tf%E2%80%93idf


2 Improved Scripts
- __CommonServerPython__
Fixed _tableToMarkdown_ escaping bug.
- __JIRAPrintIssue__
Added dependency on the _jira-get-issue_ command.



Reputations

Improved Reputations