Demisto-py

Demisto Content Release Notes for version 17 &10053; 12 &10053; 3 (5348)
&10053;&10053;&10053; Published at 24 December 2017 &10053;&10053;&10053;

Playbooks

4 New Playbooks
- Calculate Severity - Generic
-- Calculate incident severity by indicators reputation and user/endpoint membership in critical groups
- Get File Sample From Hash - Carbon Black Enterprise Response
-- Returns to the war-room a file sample correlating to MD5 hashes in the context using Carbon Black Enterprise Response integration
- Get File Sample From Hash - Cylance Protect
-- Returns to the war-room a file sample correlating to SHA256 hashes in the context using Cylance Protect integration
- Get File Sample From Hash - Generic
-- Returns to the war-room a file sample correlating from a hash using one or more products



Integrations

2 New Integrations
- Symantec MSS
-- Symantec Managed Security Services
- OPSWAT-Metadefender
-- Metadefender multi-scanning engine that uses 30+ anti-malware engines to scan files for threats

7 Improved Integrations
- GRR
-- Fixed parsing of paths for grr_get_files
- EWS
-- Added move-item command. Ability to fetch incidents with folder ID
- Okta
-- Added okta-unlock-user command
- Phishme Intelligence
-- Added Threat IDs and last published date to output
- QRadar
-- Added support for offense notes
- Vmray
-- Can now use upload_sample command with war-room file
- VirusTotal
-- Handling missing ASN scenario




Scripts

2 New Scripts
- LanguageDetect
-- Language detection based on Google's language-detection
- SendMessageToOnlineUsers
-- Send message to Demisto online users over Email, Slack or both

Improved Scripts
- EmailAskUserResponse
-- Ignore multi-line scripts and style sections in email body

 
 
     &10053;      &10053;         &10053;        &10053;      &10053;

 
      &10053;       &10053;         &10053;         &10053;

 
     &10053;      &10053;        &10053;        &10053;     &10053;     &10053;


&10053; &10053; &10053; Demisto Wishes You Happy Holidays &10053; &10053; &10053;

Demisto Content Release Notes for version 17.12.2 (5067)


Integrations

New Integrations
- Secdo
-- Secdo's automated incident response platform hunts threats in real time and delivers an endpoint detection and response solution

8 Improved Integrations
- McAfee Advanced Threat Defense
-- Complex fields are now formatted for better readability
- EWS
-- Supports searching more than 20000 mailboxes
- OpsGenie
-- Added ability to get all schedules, and to get on-call for future time
- Check Point Sandblast
-- Added an option to use the integration without API key (for example, when using on premises)
- ServiceNow
-- Added type ticket (normal, standard, emergency) argument to the create and update commands
-- Added ticket state argument to the create and update commands
-- Added Get group details command (servicenow-get-groups)
- SplunkPy
-- Supports queries that start with | on splunk-search
- Tanium
-- Added option to specify Action Group for tn-deploy-action
- VirusTotal
-- Handling missing ASN scenario
- VxStream
-- Added file detonation




Scripts

4 New Scripts
- ContextGetEmails
-- Gets all email addresses in context
- ContextGetHashes
-- Gets hashes (MD5,SHA1,SHA256) from context
- ContextGetIps
-- Gets all IP addresses in context
- listExecutedCommands
-- Lists executed commands in War Room

2 Improved Scripts
- ADGetGroupMembers
-- Fixed script failure when user/computer has no groups
- IsIPInRanges
-- Fixed subnet calculation

Depracated Scripts
- IsIPInSubnet
-- Use IsIPInRanges instead



Common Utilities Functions

Javascript New Utilities
- formatTableValuesAdded
-- format Demisto table cells as strings

Demisto Content Release Notes for version 17.12.1 (5041)


Integrations

New Integrations
- Secdo
-- Secdo's automated incident response platform hunts threats in real time and delivers an endpoint detection and response solution

8 Improved Integrations
- McAfee Advanced Threat Defense
-- Complex fields are now formatted for better readability
- EWS
-- Supports searching more than 20000 mailboxes
- OpsGenie
-- Added ability to get all schedules, and to get on-call for future time
- Check Point Sandblast
-- Added an option to use the integration without API key (for example, when using on premises)
- ServiceNow
-- Added type ticket (normal, standard, emergency) argument to the create and update commands. Added ticket state argument to the create and update commands. Added Get group details command
- SplunkPy
-- Supports queries that start with | on splunk-search
- Tanium
-- Added option to specify Action Group for tn-deploy-action
- VxStream
-- Added file detonation




Scripts

5 New Scripts
- ContextGetEmails
-- Gets all email addresses in context
- ContextGetHashes
-- Gets hashes (MD5,SHA1,SHA256) from context
- ContextGetIps
-- Gets all IP addresses in context
- DedupIncidentsByML
-- Scans given incident (or the the incident currently being investigated), for similar incidents in the Demisto platform, if found , will duplicate and close current incident
- listExecutedCommands
-- Lists executed commands in War Room

2 Improved Scripts
- ADGetGroupMembers
-- Fixed script failure when user/computer has no groups
- IsIPInRanges
-- Fixed subnet calculation

Depracated Scripts
- IsIPInSubnet
-- Use IsIPInRanges instead



Common Utilities Functions

Javascript New Utilities
- formatTableValuesAdded
-- format Demisto table cells as strings

Release Notes for version 17.11.1 (4833)

Playbooks

1 Improved Playbook
- Tanium Demo Playbook
-- Updated playbook with new commands

Integrations

2 New Integrations
- Demisto REST API
-- Use Demisto REST APIs both in local and external Demisto servers
- Icebrg
-- iceberg.io Streaming Network Forensics

15 Improved Integrations
- Tanium
-- Tanium integration was vastly improved and now provides more Tanium SDK options
- McAfee Advanced Threat Defense
-- Fixed get-reports command (permissions to download PDF and samples and types of files)
- Anomali ThreatStream
-- Added threshold argument to set if query is malicious
- Carbon Black Defense
-- Added proxy and skip certificate check options
- Service Manager
-- Added descriptions to commands
- IntSights
-- Print message body when json parsing fails
- LightCyber Magna
-- Added descriptions for some arguments
- EWS
-- Fixed fetch-incidents, when there is no "To:" in the e-mail
- Phishme Intelligence
-- Changed reputation of threats to be calculated by severity level
- PhishTank
-- Integration is now enabled by default
- ProtectWise
-- Added descriptions for outputs
- QRadar
-- Will print descriptive message in case of parsing error
- Urlscan.io
-- Integration is now enabled by default
- Vmray
-- Uses public docker image now
- CyberArkAIM
-- Support fetch for multiple credentials
-- Added list-credentials command


Scripts

6 New Scripts
- ContextGetPathForString
-- Searches for string in context and returns context path
- DemistoCreateList
-- Creates a new Demisto list
- DemistoDeleteIncident
-- Deletes an incident from Demisto
- DemistoLinkIncidents
-- Links two or more incidents
- DemistoSendInvite
-- Sends invitation to join Demisto
- JIRAPrintIssue
-- Pretty print JIRA issue into the incident war room

1 Improved Script
- http
-- Added support for downloading a file to the war room

6 Deprecated Scripts
- TaniumApprovePendingActions
-- Deprecated. Use tn-approve-pending-action instead
- TaniumAskQuestion
-- Deprecated. Use tn-ask-question instead
- TaniumAskQuestionComplex
-- Deprecated. Use tn-ask-question instead
- TaniumDeployAction
-- Deprecated. Use tn-deploy-package instead
- TaniumFindRunningProcesses
-- Deprecated. Use tn-ask-question instead
- TaniumShowPendingActions
-- Deprecated. Use tn-get-all-pending-actions instead

Release Notes for version 17.11.0 (4518)

General
- The form of Demisto content versions has been changed to make them easier to follow. Content version numbers will now be as follows: '<YY>.<MM>.<>'. For example 17.11.0 is November 2017 first version


Playbooks

2 New Playbooks
- Arcsight - Get events related to the Case
-- Get the Case's Arcsight ResourceID from the FetchID field, or the "ID" label. If neither are available, ask user for the ID
- QRadar - Get offense correlations
-- Get more information from a Qradar Offence


Integrations

5 New Integrations
- Carbon Black Defense
-- Next-generation antivirus + EDR in one cloud-delivered platform that stops commodity malware, advanced malware, non-malware attacks and ransomware
- IsItPhishing
-- Collaborative web service that provides validation on whether a URL is a phishing related page (or not) by analyzing the content of the webpage
- McAfee Threat Intelligence Exchange
-- Connect to TIE using its DXL client
- McAfee Web Gateway
-- Blacklist/Whitelist URLs
- TCPIPUtils
-- Use the TCPIPUtils.com API to get enrichment data about an IP address

5 Improved Integrations
- AlienValut OTX
-- The 'not found' error is now handled more gracefully
- ArcSight ESM
-- Added new commands
- as-case-delete
- as-get-all-query-viewers
- as-get-case-event-ids
There is no need for ArcSight XML integration anymore, fetch can be done via ArcSight ESM
- Remedy On-Demand
-- Port parameter is now optional
- SplunkPy
-- Support different timezones on Splunk ES incident fetch
- Nessus
-- Fixed list-scans command issue



Scripts

2 New Scripts
- ContextContains
-- This script searches for a value in a context path
- ExposeIncidentOwner
-- Copy the incident owner into 'IncidentOwner' context key

5 Improved Scripts
- ATDDetonate
-- Returns an error on unsupported files
- DeleteContext
-- Change function to return an error when no arguments are provided (rather than return a regular message)
- ExportToCSV
-- Display string representation of inner object fields
- QRadarGetCorrelationLogs
-- Added Context outputs
- QRadarGetOffenseCorrelations
-- Updated context outputs

1 Depracated Script
- QRadarClassifier
- Use the Demisto "Classification and Mapping" tool instead

Feeds

25 New Feeds in 5.5.0 Beta
We added several inbound and outbound feeds for threat intelligence management.

22 Inbound Feeds
- __abuse.ch SSL Blacklist Feed__
- __DShield Feed__
- __Cofense Feed__
- __Azure Feed__
- __Office 365 Feed__
- __Blocklist_de Feed__
- __Recorded Future RiskList Feed__
- __BruteForceBlocker Feed__
- __AutoFocus Feed__
- __Cloudflare Feed__
- __Proofpoint Feed__
- __Bambenek Consulting Feed__
- __Tor Exit Addresses Feed__
- __AlienVault Reputation Feed__
- __Feodo Tracker IP Blocklist Feed__
- __Feodo Tracker Hashes Feed__
- __Spamhaus Feed__
- __AWS Feed__
- __Office365 Feed__
- __CSV Feed__
- __Malware Domain List Active IPs Feed__
- __Fastly Feed__

3 Outbound Feeds
- __Export Indicators Service__
- __Palo Alto Networks PAN-OS EDL Service__
- __TAXII Feed__

Integrations
New Integration in 5.5 Beta
- __Elasticsearch v2__
- Searches for and analyzes data in real-time.
- Supports version 6 and up.
---
Scripts
New Script in 5.5.0 Beta
- __FetchIndicatorsFromFile__
Fetches indicators from a file.
---
Playbooks
11 New Playbooks in 5.5 Beta
- __Process Domain Indicators__
- __Process Hash Indicators__
- __Process IP Indicators__
- __Process Url Indicators__
- __ArcSight Add Domain Indicators__
- __ArcSight Add IP Indicators__
- __ArcSight Add Hash Indicators__
- __QRadar Add Domain Indicators__
- __QRadar Add IP Indicators__
- __QRadar Add Hash Indicators__
- __QRadar Add Url Indicators__
---
Dashboard
New Dashboard in 5.5.0 Beta
- __Threat Intelligence Management__
---
Widgets
4 New Widgets
- __Elastic Disk Current Usage__
Elastic Disk Current Usage %.
- __Elastic JVM Memory Current Usage__
Elastic JVM Memory Current Usage %.
- __Elastic Memory Current Usage__
Elastic Memory Current Usage %.
- __Elastic CPU Current Usage__
Elasticsearch CPU Current Usage %.
---
Incident Layouts

10 New Incident Layouts in 5.5.0 Beta
- __emailRep - Indicator Details__
Updated the layout for the Email indicator type.
- __Indicator Feed - New/Edit__
Added the ability to edit the layout for the **Indicator Feed** incident type.
- __unifiedFileRep - Indicator Details__
Updated the layout for the File indicator type.
- __urlRep - Indicator Details__
Updated the layout for the URL indicator type.
- __domainRep - Indicator Details__
Updated the layout for the Domain indicator type.
- __hostRep - Indicator Details__
Updated the layout for the Host indicator type.
- __cveRep - Indicator Details__
Updated the layout for the CVE indicator type.
- __registryKey - Indicator Details__
Updated the layout for the Registry Key indicator type.
- __ipRep - Indicator Details__
Updated the layout for the IP indicator type.
- __accountRep - Indicator Details__
Updated the layout for the Account indicator type.
---
Integrations

8 New Integrations
- __Google Chronicle Backstory__
Use the Google Chronicle Backstory integration to retrieve Asset alerts or IOC Domain matches as Incidents. Use it to fetch a list of infected assets based on the indicator accessed.
- __Pentera__
An Integration with Pentera by Pcysys.
- __Claroty__
Use the Claroty CTD integration to manage assets and alerts.
- __Expanse__
The Expanse App for Demisto leverages the Expander API to retrieve network exposures and create incidents in Demisto. This application also enables IP and Domain enrichment, retrieving assets and exposures information drawn from Expanse.
- __IBM X-Force Exchange (v2)__
Use the IBM X-Force Exchange integration to receive threat intelligence about applications, IP addresses, URLs, and hashes.
- __CounterCraft Deception Director__
Use the CounterCraft Deception Solution integration to detect advanced adversaries and to automate counterintelligence campaigns to discover targeted attacks with real-time active response.
- __Indeni__
Indeni is turn-key automated monitoring providing visibility for security infrastructure. Indeni's production-ready Knowledge is curated from vetted, community-sourced experience, to deliver automation of tedious tasks with integration with your existing processes.
- __illuminate__
This integration utilizes AnalystPlatform's Illuminate system to enrich Demisto indicators.

9 Improved Integrations
- __MISP V2__
Fixed the default value for the *PREDEFINED* argument in the ***misp-search*** command.
- __DomainTools Iris__
Improved the integration description.
- __Micro Focus Service Manager__
Improved the descriptions for several parameters and commands.
- __SplunkPy__
Added support for comma-separated values in the ***splunk-parse-raw*** command.
- __Palo Alto Networks PAN-OS__
- Added 2 commands.
- ***panorama-register-user-tag***
- ***panorama-unregister-user-tag***
- __Zscaler__
- Fixed an issue where the ***url*** command in Zscaler did not create an indicator in Demisto.
- Fixed the ***url*** and ***ip*** commands the in Zscaler output descriptions.
- Fixed an issue where the ***zscaler-category-add-url*** command failed when passing multiple URLs separated with spaces.
- Fixed an issue where the ***zscaler-undo-blacklist-url*** command always failed with the error "Given URL is not blacklisted".
- Fixed an issue where the ***zscaler-undo-blacklist-ip*** command always failed with the error "Given IP is not blacklisted".
- Fixed an issue where the ***zscaler-undo-whitelist-url*** command always failed with the error "Given host address is not whitelisted.".
- Fixed an issue where the ***zscaler-undo-whitelist-ip*** command always failed with the error "Given IP address is not whitelisted.".
- Updated command executions to always activate changes after API calls and close session. This fixes issues related to the session not being authenticated or timing out.
- __McAfee DXL__
Added certificate validation.
- __McAfee Threat Intelligence Exchange__
Added certificate validation.
- __Qualys__
Fixed an argument name in the ***qualys-schedule-scan-list*** command.

---
Scripts

New Script
- __ExpanseParseRawIncident__
Parses an Expanse incident from raw JSON to readable output.

2 Improved Scripts
- __FilterByList__
Added the name of the compared list to the context.
- __XDRSyncScript__
Fixed an issue where an incident was modified in XDR but not updated in Demisto.

---
Playbooks

6 New Playbooks
- __Claroty Manage Asset CVEs__
- __Claroty Incident__
- __Indeni Demo__
- __Pentera Run Scan__
- __Expanse Incident Playbook__
Parses incident from Expanse in raw JSON to readable output.
- __NetSec - Palo Alto Networks DUG - Tag User__
Block a user by tagging them in the Palo Alto Networks NGFW. Requires PAN-OS 9.1 or later.

3 Improved Playbooks
- __NetOps - Firewall Version and Content Upgrade__
Updated playbook descriptions and task names.
- __NetOps - Upgrade PAN-OS Firewall Device__
Updated playbook descriptions and task names.
- __Block Account - Generic__
Added the **PAN-OS Dynamic User Groups** commands to the playbook.

---
Incident Layouts

12 New Incident Layouts
- __accountRep - Indicator Details__
- __hostRep - Indicator Details__
- __Expanse Appearance - Summary__
- __domainRep - Indicator Details__
- __Claroty Integrity Incident - Summary__
- __cveRep - Indicator Details__
- __unifiedFileRep - Indicator Details__
- __registryKey - Indicator Details__
- __Claroty Security Incident - Summary__
- __ipRep - Indicator Details__
- __emailRep - Indicator Details__
- __urlRep - Indicator Details__