Demisto Content Release Notes for version 19.1.1 (16961)
Published on 13 January 2019
Integrations
2 New Integrations
- CIRCL
CIRCL Passive DNS is a database storing historical DNS records from various resources.
CIRCL Passive SSL is a database storing historical X.509 certificates seen per IP address. The Passive SSL historical data is indexed per IP address. For more information, see the CIRCL documentation. - MISP V2
Malware information sharing platform and threat sharing.
This integration replaces the MISP (Deprecated) integration.
10 Improved Integrations
-
Pwned
Fixed an issue in the email command that affected backward compatibility. -
AbuseIPDB
- Fixed context issues.
- Added the AbuseIPDB-PopulateIndicators script.
-
Cybereason
- Improved implementation of malop fetching as incidents.
- Added 5 new commands:
- cybereason-prevent-file
- cybereason-unprevent-file
- cybereason-query-file
- cybereason-query-domain
- cybereason-query-user
For more information, see the Cybereason documentation.
-
Google Vault
- Added 4 new commands:
- gvault-get-drive-results
- gvault-get-mail-results
- gvault-get-groups-results
- gvault-download-results
- Added 4 new Google Vault playbooks:
- Google Vault - Search Mail
- Google Vault - Search Drive
- Google Vault - Search Groups
- Google Vault - Display results
- In context, Export objects were moved into matching Matter objects (this change is not backward compatible).
For more information, see the Google Vault documentation.
- Added 4 new commands:
-
IntSights
- The get_alerts command now retrieves all alert details.
- Added the time-delta argument, which retrieves alerts based on a given time delta (in days).
For more information, see the IntSights documentation.
-
ServiceNow
Improved handling of empty responses and missing fields. -
Cisco Threat Grid
You can now submit a file that has unicode characters in the name. -
TruSTAR
Added 4 new commands:- file
- url
- ip
- domain
For more information, see the TruSTAR documentation.
-
Have I Been Pwned?
Added DBot score. -
ThreatConnect
- Added context and markdown to existing commands.
- Added new commands.
Scripts
7 New Scripts
- AbuseIPDBPopulateIndicators
Extracts blacklisted IP addresses from AbuseIPDB, and populates indicators accordingly. - ChangeRemediationSLAOnSevChange
Changes the remediation SLA when a change in incident severity occurs. - CopyContextToField
Copy a context key to an incident field to multiple number of incidents, based on a query. - CybereasonPreProcessingExample
Run this preprocessing script when fetching Cybereason malops. The script checks if a malop was already fetched, and will then update the existing incident, otherwise it will create a new incident. - DT
This automation allows the usage of DT scripts within playbook transformers. - LinkIncidentsWithRetry
Running multiple link incidents simultaneously can cause DB version errors. Use the LinkIncidentsWithRetry script to avoid this error. - StopTimeToAssignOnOwnerChange
Stops the Time To Assign timer when the incident owner changes.
6 Improved Scripts
- cveReputation
Added a fixed number of retries to execute the cve-search command when a 404 error is returned. - ProofpointDecodeURL
Added a helpful error description when a URL is not found in the query. - SSDeepReputation
You can now use this script as an indicator reputation script. - SplunkPySearch
- Fixed 'Missing headers param' bug.
- Added error validation for the command result.
Deprecated Scripts
- misp_download_sample
Script is deprecated, use the misp-download-sample command in the MISP V2 integration instead. - misp_upload_sample
Script is deprecated, use the misp-upload-sample command in the in MISP V2 integration instead.
Playbooks
4 New Playbooks
- Google Vault - Display Results
Queues and displays Google Vault search results. - Google Vault - Search Drive
Performs Google Vault searches in Drive accounts, and displays the results. - Google Vault - Search Groups
Performs Google Vault searches in Groups, and displays the results. - Google Vault - Search Mail
Performs Google Vault searches in Mail accounts, and displays the results.
Widgets
1 Improved Widget
- MTTR by Type
MTTR is now in the timeline widget.
Demisto v4.1.0
This content is available on Demisto v4.1.0 and later
Playbooks
Improved Playbook
- Phishing Investigation - Generic
Added detection and remediation timers based on SLA fields.
Dashboards
1 New Dashboard
- SLA
Displays an overview of your SLAs.
Widgets
4 New Widgets
- Detection SLA by Status
The detection SLA status of all incidents that their severity was determined. The widget takes into account incidents from the last 30 days by default, and inherits new time range when the dashboard time changes. - Mean Time to Detection
The mean time (average time) to detection across all incidents whose severity was determined. By default, the widget takes into account incidents from the last 30 days. - MTTD by Type
A widget that displays the Mean Time to Detection, by incident type. - Remediation SLA by Status
The remediation SLA status of all incidents that initiated a remediation process. By default, the widget takes into account incidents from the last 30 days, and inherits a new time range when the dashboard time changes.
Incident Fields
- Added Detection SLA field.
- Added Remediation SLA field.
- Added Time to Assignment field.
Incident Layouts
1 New Incident Layout
- Phishing - Quick View
Added SLAs for Quick View layouts.
1 Improved Incident Layout
- Phishing - Summary
New SLA content.