Demisto Content Release Notes for version 19.10.1 (31209)
Published on 15 October 2019
Notice: Breaking Change
SplunkPy: This update adds the app parameter settings. After the update is complete, there is need to re-save existing instances of SplunkPy. Open the instance configuration, Test the instance and then save. The app parameter may be left empty.
Integrations
New Integration
- SMIME Messaging
Use the S/MIME (Secure Multipurpose Internet Mail Extensions) integration to send and receive secure MIME data.
14 Improved Integrations
- Kafka v2
- Added partitions to kafka-print-topic command outputs.
- Added a parameter to set the maximum number of messages to fetch.
- Improved debug logging outputs.
- Improved fetch incidents implementation (breaks backward compatibility).
- Slack v2
Added support for changing the display name and icon for the Demisto bot in Slack. - DUO Admin
Proxy configuration now works as expected. - Palo Alto Networks Traps
Updated the integration category to Endpoint. - Active Directory Query v2
Added support for debug-mode, which logs extended information when enabled. - RSA Archer
Added support for European timestamps. - Hybrid Analysis
Fixed an issue where hybrid-analysis-search command returned an error without using the query argument. - Prisma Cloud (RedLock)
- Updated the display name to: Prisma Cloud (RedLock).
- Added the Trust any certificate configuration parameter.
- Microsoft Graph Mail
- Improved the description of the search argument in msgraph-mail-list-emails command.
- Fixed an issue where the msgraph-mail-delete-email command always returned an error.
- ThreatQ v2
Fixed results numbering for the following commands.- threatq-get-all-adversaries
- threatq-get-all-indicators
- threatq-get-all-events
- Rasterize
- Updated the integration to use Chrome driver instead of phantomJS (requires Demisto 5.0).
- Improved control over the window size of the output.
- SplunkPy
- Added the app parameter, which is the app context of the namespace.
- Improved the human readable output of the search command.
- TruSTAR
Fixed an issue where the trustar-search-indicator command returned an incorrect context output. - IntSights
- Fixed an issue where indicators were not extracted correctly in intsight-get-iocs command.
- Improved implementation of the following commands:
- intsights-get-alert-image
- intsights-get-alert-takedown-status
Scripts
2 New Scripts
- AwsEC2GetPublicSGRules
Find Security Group rules which allow ::/0 (IPv4) or 0.0.0.0/0. - PopulateCriticalAssets
Populates critical assets in a grid field that has the section headers Asset Type and Asset Name.
2 Improved Scripts
- CommonServerPython
- Added the is_debug_mode wrapper function, which checks if debug-mode is enabled.
- The return_outputs function can now return readable_output.
- ExtractDomainFromUrlAndEmail
Added support for URLs contains non-ASCII characters.
Playbooks
5 New Playbooks
- Traps Quarantine Event
This playbook accepts a file hash and quarantines the file using Traps. - Traps Blacklist File
This playbook accepts a file SHA256 hash and adds it to a blacklist using the Traps integration. - Traps Isolate Endpoint
This playbook accepts an endpoint ID from the Traps integration and isolates the endpoint. - Prisma Cloud Remediation - AWS Security Groups Allows Internet Traffic To TCP
Port
This playbook extracts the TCP public Security Groups rule and provides manual/automatic options to have the rules revoked. - Palo Alto Networks - Endpoint Malware Investigation
This playbook is triggered by a Palo Alto Networks Cortex threat alert, generated by Traps. The playbook performs host enrichment for the source host with Palo Alto Networks Traps, enriches information for the suspicious file with Palo Alto Networks MineMeld and AutoFocus, and automatically performs file detonation for the extracted file. It then performs IOC enrichment with MineMeld for all related IOCs, and calculates the incident severity based on all the findings.
3 Improved Playbooks
- Calculate Severity - Critical Assets v2
Added a task that sets all found critical assets to a new incident field. - Calculate Severity - Generic v2
Fixed an issue where the current incident severity was not always taken into account. - Palo Alto Networks - Malware Remediation
Added Traps remediation sub-playbooks.
Incident Fields
- PID
PID. - Blocked Action
Blocked Action. - Subtype
Subtype. - Infected Hosts
Infected hosts found in the investigation. - Isolated
Isolated. - Device Name
Device Name. - Traps ID
Traps event ID. - Agent ID
Agent ID. - Malicious Behavior
Malicious Behavior. - Quarantined
Whether the indicator is quarantined or isolated. - Terminated Action
Terminated Action. - Src OS
Src OS. - Command Line
Command Line. - File Size
File Size. - Triggered Security Profile
Triggered Security Profile. - Critical Assets
A table of critical assets involved in the incident, including the name and asset type. - Parent Process ID
Parent Process ID.
Incident Layouts
New Incident Layout
- Traps - Summary
New layout for Traps incident type.
2 Improved Incident Layouts
- Phishing - Summary
- Reorganized several elements of the layout.
- Added a field that displays the result for an email authenticity check.
- Added a field that displays email headers.
- Added a field that displays the email address of the user who reported the phishing email.
- Added a field that displays the email classification.
- Added a field that displays the phishing sub-type.
- Added a field that displays URL SSL verification results.
- Added a section that displays URL screenshots.
- Added a field that displays critical assets involved in the phishing incident.
- Phishing - Summary
Added a list of critical assets to the summary layout of phishing incidents.
Classification & Mapping
New Classification & Mapping
- Palo Alto Networks Cortex
New classifier for Palo Alto Networks Cortex integration for Traps incidents.
Reputations
- The regex now recognizes URL query syntax.
- Added support for non-English languages.
- Added support for asterisk, pipeline, and various dashes.