Demisto Content Release Notes for version 20.3.4 (45989)
Published on 30 March 2020
Integrations
7 New Integrations
- __Cymulate__
Multi-Vector Cyber Attack, Breach and Attack Simulation.
- __Silverfort__
Use the Silverfort integration to get and update Silverfort risk severity.
- __Generic SQL__
Use the Generic SQL integration to run SQL queries on the following databases: MySQL, PostgreSQL, Microsoft SQL Server, and Oracle.
- __Microsoft Defender Advanced Threat Protection__
Use the Microsoft Defender Advanced Threat Protection (ATP) for preventative protection, post-breach detection, automated investigation, and response.
- __Cortex Data Lake__
Palo Alto Networks Cortex Data Lake provides cloud-based, centralized log storage and aggregation for your on-premise, virtual (private cloud and public cloud) firewalls, for Prisma Access, and for cloud-delivered services such as Cortex XDR.
- __Fidelis EDR__
Use the Fidelis Endpoint integration for advanced endpoint detection and response (EDR) across Windows, Mac, and Linux operating systems for faster threat remediation.
- __Tanium Threat Response__
Use the Tanium Threat Response integration to manage endpoints processes, evidence, alerts, files, snapshots, and connections.
15 Improved Integrations
- __Symantec Managed Security Services__
Fixed an issue where **fetch-incidents** failed on data containing special characters.
- __AWS - EC2__
- Improved handling of error messages.
- Updated the result returned when the command is an empty list.
- __illuminate__
Fixed an issue where indicators with no benign data showed as malicious.
- __Microsoft Teams__
Added the ***microsoft-teams-ring-user*** command.
- __Active Directory Query v2__
Fixed the User Account Control translation value.
- __Slack v2__
Fixed a bug where messages were not sent to a channel if it was the dedicated channel for notifications.
- __SplunkPy__
- Added the **Replace with Underscore in Incident Fields** parameter key, which replaces problematic characters (e.g., ".") with underscores ("\_") in context keys.
- Added the **First fetch timestamp** parameter, which indicates the date and time from which incidents should be fetched.
- Fixed an issue where the ***splunk-search*** command presented the table headers in alphabetical order instead of the query order.
- __Expanse__
- Shortened the period of time that tokens are considered valid, to avoid authorization errors.
- Fixed an issue related to the ***ip*** command where an error is generated if the API returns a partial response.
- Added friendly values for various empty fields returned by the ***domain*** command.
- __Palo Alto Networks AutoFocus v2__
- Fixed an issue where *get_search_results* mistakenly returns "no results".
- Added the *SessionStart* context output to the following commands.
- ***autofocus-search-samples***
- ***autofocus-search-Sessions***
- ***autofocus-top-tags-search***
- __Microsoft Graph Mail__
- Fixed an issue where the listing emails were not comparing the mail ID.
- Added 4 commands. These commands require additional permissions. See the Detailed Description for more information.
- ***msgraph-mail-create-draft***
- ***msgraph-mail-send-draft***
- ***msgraph-mail-reply-ro***
- ***send-mail***
- Added the ability to fetch mails as incidents.
- __Rasterize__
Increased the default value for ***rasterize*** image width to 1024px.
- __Okta__
Fixed a typo in the *DisplayName* context path in the ***okta-search*** command.
- __Lockpath KeyLight v2__
Fixed the ***Fetch incidents*** raw data to match the data and format of the ***kl-get-records*** data command.
- __Fidelis Elevate Network__
Added the following commands.
- ***fidelis-get-alert-session-data*** - Gets the session data of an alert.
- ***fidelis-get-alert-decoding-path*** - Gets the decoding data of an alert.
- ***fidelis-add-alert-comment*** - Adds a comment to an alert.
- ***fidelis-get-alert-execution-forensics*** - Gets the execution forensic data of an alert.
- ***fidelis-update-alert-status*** - Assigns a status to an alert (False Positive, Not Interesting, Interesting and Actionable).
- ***fidelis-close-alert*** - Closes an alert.
- ***fidelis-assign-user-to-alert*** - Assigns a user to an alert.
- ***fidelis-get-alert-forensic-text*** - Gets the forensic text of an alert.
- ***fidelis-alert-execution-forensics-submission*** - Submit an alert with an executable file for execution forensics.
- ***fidelis-manage-alert-label*** - Adds, removes, or changes an alert label.
- __Tanium v2__
- Added support for question text with parameters instead of using the parameters argument in the ***tn-ask-question*** command.
- Fixed an issue where the ***tn-get-question-result*** command returned a list in a single-column result.
Deprecated Integrations
- __Palo Alto Networks Cortex__
Deprecated. Use the **Cortex Data Lake** integration instead.
- __Windows Defender Advanced Threat Protection__
Deprecated. Use the **Microsoft Defender Advanced Threat Protection** integration instead.
---
Scripts
2 New Scripts
- __ReplaceMatchGroup__
Returns a string with all matches of a regex pattern groups replaced by a replacement.
- __Base64Decode__
Decodes an input in Base64 format.
4 Improved Scripts
- __ExtractFQDNFromUrlAndEmail__
Fixed an issue with the ATP link regex.
- __ExtractDomainFromUrlAndEmail__
Fixed an issue with the ATP link regex.
- __UnEscapeURLs__
- Fixed an issue with unescaped 'https' URLs.
- Fixed an issue with the ATP link regex.
- __FindSimilarIncidents__
Deprecated the following arguments, use the ***similarIncidentFields*** command instead.
- *similarCustomFields*
- *similarIncidentKeys*
---
Playbooks
11 New Playbooks
- __Tanium Threat Response - Create Connection__
Creates a connection to a remote destination from Tanium.
- __Cortex XDR - Isolate Endpoint__
Accepts an XDR endpoint ID and isolates it using the **Palo Alto Networks Cortex XDR - Investigation and Response** integration.
- __Dedup - Generic v2__
Identifies duplicate incidents using one of the supported methods.
- __Brute Force Investigation - Generic - SANS__
Investigates a "Brute Force" incident by gathering user and IP information and calculating the incident severity based on the gathered information and information received from the user. It then performs remediation.
***Disclaimer***: This playbook does not ensure compliance with SANS regulations.
- __Brute Force Investigation - Generic__
Investigates a "Brute Force" incident by gathering user and IP information, calculating the incident severity based on the gathered information and information received from the user, and performs remediation.
- __Prisma Cloud Remediation - GCP Compute Engine Misconfiguration__
Remediates Prisma Cloud GCP Compute Engine alerts. It calls sub-playbooks that perform the actual remediation steps.
- __Prisma Cloud Remediation - GCP Compute Engine Instance Misconfiguration__
Remediates Prisma Cloud GCP Compute Engine VM Instance alerts.
- __Silverfort Update Risk for Domain Admins Incidents__
Gets an incident related to an account. If it is a domain admin, updates Silverfort risk.
- __Microsoft Defender Advanced Threat Protection Get Machine Action Status__
This playbook uses generic polling to get machine action information.
- __Tanium Threat Response - Request File Download__
Requests file download from Tanium.
- __Silverfort Disable High Risk Account__
This playbook gets the user's risk from Silverfort DB. If the risk is medium or higher, the user will be blocked and an alert will be sent.
8 Improved Playbooks
- __Palo Alto Networks - Malware Remediation__
Added the **Cortex XDR - Isolate Endpoint** sub-playbook.
- __Block URL - Generic__
Added additional playbook inputs.
- __Detonate File - FireEye AX__
Added support for file types that were previously missing.
- __Impossible Traveler__
Fixed an issue with sending an email to the manager of the user.
- __Isolate Endpoint - Generic__
Added the **Cortex XDR - Isolate Endpoint** sub-playbook.
- __Block Indicators - Generic v2__
Added additional playbook inputs.
- __Employee Offboarding - Gather User Information__
Improved error handling when the user's manager is not found.
- __Calculate Severity - Critical Assets v2__
Fixed an issue that caused the playbook to fail when certain inputs were missing.
Deprecated Playbook
- __Failed Login Playbook - Slack v2__
Deprecated. Use the **Slack - General Failed Logins v2.1** playbook instead.
---
Incident Fields
12 New Incident Fields
- __Login Attempt Count__
- __userAccountControl__
- __Dest OS__
- __Successful Login__
- __SANS Stage__
- __Dest Hostname__
- __User Disabled Status__
- __Src Hostname__
- __sAMAccountName__
- __Account Groups__
- __Password Expiration Status__
- __MAC Address__
---
Layouts
2 New Layouts
- __Cymulate Immediate Threats - Summary__
- __Brute Force - Summary__
Added a layout for the **Brute Force** incident type. **(Available from Demisto 5.0)**.
Improved Layouts
- __domainRep2 - Indicator Details__
- Added the **domain2** indicator layout.
- Added the indicator field **Aggregated Reliability**, which is the aggregated score of the feed.
---
Cortex XSOAR 5.5 Release
---
Integrations
2 New Integrations
- __JSON Feed__
Fetches indicators from a JSON feed.
- __Syslog Sender__
Use the Syslog Sender integration to send messages and mirror incident War Room entries to Syslog.
6 Improved Integrations
- __AutoFocus Feed__
Changed the default indicator reputation to Bad.
- __Export Indicators Service__
- Added support for the following inline URL parameters.
- t - The type indicated in the mwg format.
- sp - Whether to strip ports of URLs in the panosurl format.
- di - Whether to drop invalid URLs in the panosurl format.
- cd - The default category in the proxysg format.
- ca - The categories to show in the proxysg format.
- tr - Whether to collapse IPs to ranges or CIDRs.
- Added support for "McAfee Web Gateway", "PAN-OS URL" and "Symantec ProxySG" output formats.
- Fixed an issue where "json", "json-seq" and "csv" formats did not match the original Minemeld formats.
- Added support for "XSOAR json", "XSOAR json-seq" and "XSOAR csv" output formats.
- Added a feature where "csv" and "XSOAR csv" formats now download a .csv file with the indicator information.
- The "json-seq" and "XSOAR json-seq" functions now download a file with indicator information as a JSON sequence.
- Added support for IP ranges and CIDR collapse.
- __Bambenek Consulting Feed__
- Renamed the *Sub-Feeds* parameter to *Services* in the instance configuration.
- Added 5 services:.
- **C2 All Indicator Feed**.
- **High-Confidence C2 All Indicator Feed**.
- **DGA Domain Feed**.
- **High-Confidence DGA Domain Feed**.
- **Sinkhole Feed** feeds.
- Services are now represented by their names instead of their URL addresses.
- __TAXII Server__
Improved the test module functionality.
- __TAXII Feed__
You can now leave the *collection* parameter empty to receive the list of available collections.
- __Palo Alto Networks PAN-OS EDL Service__
- Improved the test module functionality.
- Added support for IP collapse to ranges and CIDRs.
- Renamed the **Sub-Feeds** parameter to **Services** in the instance configuration for the following feeds:
- __Cloudflare Feed__
- __AWS Feed__
- __abuse.ch SSL Blacklist Feed__
- __Blocklist_de Feed__
- __Recorded Future RiskList Feed__
- __Spamhaus Feed__
- __Cloudflare Feed__
- __AWS Feed__
- __Recorded Future RiskList Feed__
- __Spamhaus Feed__
---
Scripts
2 New Scripts
- __ThreatIntelManagementGetIncidentsPerFeed__
Gets the total number of incidents per OOTB feed.
- __ExtractDomainAndFQDNFromUrlAndEmail__
Extracts domains and FQDNs from URLs and emails.
---
Playbooks
28 New Playbooks
- __TIM - Review Indicators Manually__
This playbook helps analysts manage the manual process of reviewing indicators. The playbook indicator query is set to search for indicators that have the 'pending review' tag. The playbook's layout displays all of the related indicators in the summary page. While reviewing the indicators, the analyst can go to the summary page and tag the indicators accordingly with tags 'such as, 'approved_black', 'approved_white', etc. Once the analyst completes their review, the playbook can optionally send an email with a list of changes done by the analyst which haven't been approved. Once complete, the playbook removes the 'pending review' tag from the indicators.
- __TIM - ArcSight Add Domain Indicators__
This playbook queries indicators based on a predefined query or results from a parent playbook and adds the resulting indicators to an ArcSight Active List. The Active List-ID should also be defined in the playbook inputs, as well as the field name in the Active list to add to.
- __TIM - Process Indicators Against Approved Hash List__
This playbook checks if file hash indicators exist in a Cortex XSOAR list. If the indicators exist in the list, they are tagged as approved_hash.
- __TIM - Process Indicators Against Business Partners Domains List__
This playbook processes indicators to check if they exist in a Cortex XSOAR list containing the business partner domains, and tags the indicators accordingly.
- __TIM - QRadar Add IP Indicators__
This playbook queries indicators based on a pre-defined query or results from a parent playbook and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs.
- __TIM - Add IP Indicators To SIEM__
This playbook receives indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to your SIEM.
- __TIM - Run Enrichment For Hash Indicators__
This playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators.
- __TIM - ArcSight Add IP Indicators__
This playbook receives indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to SIEM.
- __TIM - Process Indicators - Fully Automated__
This playbook tags indicators ingested from high reliability feeds. The playbook is triggered by a Cortex XSOAR job. The indicators are tagged as approved_white, approved_black, approved_watchlist. The tagged indicators will be ready for consumption for 3rd party systems such as SIEM, EDR, and so on.
- __TIM - Process Indicators Against Organizations External IP List__
This playbook processes indicators to check if they exist in a Cortex XSOAR list containing the organizational External IP addresses, and tags the indicators accordingly.
- __TIM - Run Enrichment For Url Indicators__
This playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators.
- __TIM - QRadar Add Url Indicators__
This playbook queries indicators based on a pre-defined query or the results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs.
- __TIM - Process Indicators Against Business Partners IP List__
This playbook processes indicators to check if they exist in a Cortex XSOAR list containing business partner IP addresses, and tags the indicators accordingly.
- __TIM - Run Enrichment For Domain Indicators__
This playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators.
- __TIM - Run Enrichment For All Indicator Types__
This playbook performs enrichment on indicators based on playbook query, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators.
- __TIM - Add Domain Indicators To SIEM__
This playbook receives indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to the SIEM.
- __TIM - QRadar Add Domain Indicators__
This playbook queries indicators based on a pre-defined query or results from a parent playbook and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs.
- __TIM - Add All Indicator Types To SIEM__
This playbook runs sub-playbooks that send indicators of all types to your SIEM.
- __TIM - Run Enrichment For IP Indicators__
This playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators.
- __TIM - Add Bad Hash Indicators To SIEM__
This playbook receives file-hash indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to your SIEM.
- __TIM - Add URL Indicators To SIEM__
This playbook receives URL indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to your SIEM.
- __TIM - Indicator Auto Processing__
This playbook uses several sub playbooks to process and tag indicators, which is used to identify indicators that shouldn't be blacklisted. For example, IP indicators that belong to business partners or important hashes we wish to not process.
- __TIM - Process File Indicators With File Hash Type__
This playbook processes file indicator by tagging them with the relevant file hash type tag, such as Sha256, Sha1, and Md5.
- __TIM - Process Indicators Against Business Partners URL List__
This playbook processes indicators to check if they exist in a Cortex XSOAR list containing business partner URLs, and tags the indicators accordingly. To enable the playbook, provide a Cortex XSOAR list name containing business partner URLs.
- __TIM - Process Indicators - Manual Review__
This playbook is triggered by a job and tags indicators ingested by feeds which require manual approval. The playbook optionally concludes with creating a new incident that includes all of the indicators that the analyst must review.
- __TIM - QRadar Add Bad Hash Indicators__
This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs.
- __TIM - ArcSight Add Bad Hash Indicators__
This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to an ArcSight Active List. The Active List-ID should be defined in the playbook inputs, as well as the field name in the Active list to which to add the indicators.
- __TIM - ArcSight Add URL Indicators__
This playbook queries indicators based on a pre-defined query or results from a parent playbook and adds the resulting indicators to an ArcSight. Active List. The Active List-ID should also be defined in the playbook inputs as well as the field name in the Active list to add to.
---
Layouts
New Layout
- __Review Indicators Manually - Summary__
New layout for the **Review Indicators Manually** type.
10 Improved Layouts
- __domainRep - Indicator Details__
- Changed the domain ID to the new domain indicator ID.
- Added the indicator field **Aggregated Reliability**, which is the aggregated score of the feed and added custom details and Extended details sections to the following layouts:
- __accountRep - Indicator Details__
- __emailRep - Indicator Details__
- __hostRep - Indicator Details__
- __unifiedFileRep - Indicator Details__
- __cveRep - Indicator Details__
- __registryKey - Indicator Details__
- __ipRep - Indicator Details__
- __urlRep - Indicator Details__
- __domainRep - Indicator Details__