demisto/content 19.1.1

Demisto Content Release version 19.1.1 (16961)

on GitHub

Demisto Content Release Notes for version 19.1.1 (16961)

Published on 13 January 2019

Integrations

2 New Integrations

• CIRCL
  CIRCL Passive DNS is a database storing historical DNS records from various resources.
  CIRCL Passive SSL is a database storing historical X.509 certificates seen per IP address. The Passive SSL historical data is indexed per IP address. For more information, see the CIRCL documentation.
• MISP V2
  Malware information sharing platform and threat sharing.
  This integration replaces the MISP (Deprecated) integration.

10 Improved Integrations

• Pwned
  Fixed an issue in the email command that affected backward compatibility.

• AbuseIPDB

  • Fixed context issues.
  • Added the AbuseIPDB-PopulateIndicators script.

• Cybereason

  • Improved implementation of malop fetching as incidents.
  • Added 5 new commands:
    • cybereason-prevent-file
    • cybereason-unprevent-file
    • cybereason-query-file
    • cybereason-query-domain
    • cybereason-query-user

  For more information, see the Cybereason documentation.

• Google Vault

  • Added 4 new commands:
    • gvault-get-drive-results
    • gvault-get-mail-results
    • gvault-get-groups-results
    • gvault-download-results
  • Added 4 new Google Vault playbooks:
    • Google Vault - Search Mail
    • Google Vault - Search Drive
    • Google Vault - Search Groups
    • Google Vault - Display results
    • In context, Export objects were moved into matching Matter objects (this change is not backward compatible).

  For more information, see the Google Vault documentation.

• IntSights

  • The get_alerts command now retrieves all alert details.
  • Added the time-delta argument, which retrieves alerts based on a given time delta (in days).

  For more information, see the IntSights documentation.

• ServiceNow
  Improved handling of empty responses and missing fields.

• Cisco Threat Grid
  You can now submit a file that has unicode characters in the name.

• TruSTAR
  Added 4 new commands:

  • file
  • url
  • ip
  • domain

  For more information, see the TruSTAR documentation.

• Have I Been Pwned?
  Added DBot score.

• ThreatConnect

  • Added context and markdown to existing commands.
  • Added new commands.

Scripts

7 New Scripts

• AbuseIPDBPopulateIndicators
  Extracts blacklisted IP addresses from AbuseIPDB, and populates indicators accordingly.
• ChangeRemediationSLAOnSevChange
  Changes the remediation SLA when a change in incident severity occurs.
• CopyContextToField
  Copy a context key to an incident field to multiple number of incidents, based on a query.
• CybereasonPreProcessingExample
  Run this preprocessing script when fetching Cybereason malops. The script checks if a malop was already fetched, and will then update the existing incident, otherwise it will create a new incident.
• DT
  This automation allows the usage of DT scripts within playbook transformers.
• LinkIncidentsWithRetry
  Running multiple link incidents simultaneously can cause DB version errors. Use the LinkIncidentsWithRetry script to avoid this error.
• StopTimeToAssignOnOwnerChange
  Stops the Time To Assign timer when the incident owner changes.

6 Improved Scripts

• cveReputation
  Added a fixed number of retries to execute the cve-search command when a 404 error is returned.
• ProofpointDecodeURL
  Added a helpful error description when a URL is not found in the query.
• SSDeepReputation
  You can now use this script as an indicator reputation script.
• SplunkPySearch
  • Fixed 'Missing headers param' bug.
  • Added error validation for the command result.

Deprecated Scripts

• misp_download_sample
  Script is deprecated, use the misp-download-sample command in the MISP V2 integration instead.
• misp_upload_sample
  Script is deprecated, use the misp-upload-sample command in the in MISP V2 integration instead.

Playbooks

4 New Playbooks

• Google Vault - Display Results
  Queues and displays Google Vault search results.
• Google Vault - Search Drive
  Performs Google Vault searches in Drive accounts, and displays the results.
• Google Vault - Search Groups
  Performs Google Vault searches in Groups, and displays the results.
• Google Vault - Search Mail
  Performs Google Vault searches in Mail accounts, and displays the results.

Widgets

1 Improved Widget

• MTTR by Type
  MTTR is now in the timeline widget.

Demisto v4.1.0

This content is available on Demisto v4.1.0 and later

Playbooks

Improved Playbook

• Phishing Investigation - Generic
  Added detection and remediation timers based on SLA fields.

Dashboards

1 New Dashboard

• SLA
  Displays an overview of your SLAs.

Widgets

4 New Widgets

• Detection SLA by Status
  The detection SLA status of all incidents that their severity was determined. The widget takes into account incidents from the last 30 days by default, and inherits new time range when the dashboard time changes.
• Mean Time to Detection
  The mean time (average time) to detection across all incidents whose severity was determined. By default, the widget takes into account incidents from the last 30 days.
• MTTD by Type
  A widget that displays the Mean Time to Detection, by incident type.
• Remediation SLA by Status
  The remediation SLA status of all incidents that initiated a remediation process. By default, the widget takes into account incidents from the last 30 days, and inherits a new time range when the dashboard time changes.

Incident Fields

• Added Detection SLA field.
• Added Remediation SLA field.
• Added Time to Assignment field.

Incident Layouts

1 New Incident Layout

• Phishing - Quick View
  Added SLAs for Quick View layouts.

1 Improved Incident Layout

• Phishing - Summary
  New SLA content.