Demisto Content Release Notes for version 19.10.3 (32464)
Published on 31 October 2019
Major Fix
URLScan.io removed the Google Safe Browsing API from the API responses that they return. We updated our integration with URLScan.io to reflect their product changes.
Integrations
4 New Integrations
- PolySwarm
Real-time threat intelligence from a crowd-sourced network of security experts and anti-virus companies. - SlashNext Phishing Incident Response
SlashNext Phishing Incident Response integration allows Demisto users to fully automate analysis of suspicious URLs. - Google Docs
Use the Google Docs integration to create and modify Google Docs documents. - ARIA Packet Intelligence
The ARIA Cybersecurity Solutions Software-Defined Security (SDS) platform integrates with Demisto to add robustness when responding to incidents.
19 Improved Integrations
- urlscan.io
- Fixed a breaking change in the API.
- Added support for batches.
- AWS - IAM
- Added the following commands.
- aws-iam-get-account-password-policy
- aws-iam-update-account-password-policy
- Added support for access keys, proxy environments, and trusting insecure connections.
- Added the following commands.
- Palo Alto Networks WildFire v2
Fixed an issue in which testing the integration instance failed. - Palo Alto Networks PAN-OS
Added the panorama-security-policy-match command. - Palo Alto Networks MineMeld
Fixed lowercase hash types in the outputs. - Rasterize
- Added the rasterize-pdf command, which converts a PDF file to an image file.
- The rasterize-email command is now available in offline mode.
- Added the wait_time - parameter to the rasterize command and to the instance configuration, which sets the time to wait before taking a screen shot.
- Palo Alto Networks Cortex
- Added 4 new commands.
- cortex-query-traffic-logs
- cortex-query-threat-logs
- cortex-query-traps-logs
- cortex-query-analytics-logs
- Added 4 new commands.
- SentinelOne v2
- Fixed an issue in the Fetch incidents function.
- Fixed an issue in the sentinelone-get-threats command.
- EWS v2
- Improved implementation of the ews-search-mailbox command.
- Added the ews-get-items-as-eml command.
- RSA Archer
Fixed the default field on which the search is performed. - SMIME Messaging
Added the smime-sign-and-encrypt command. - Gmail
- Added the page-token parameter to the gmail-list-users command, which returns further results.
- The gmail-search-all-mailboxes command now runs on all users.
- SplunkPy
- Improved handling of the app context parameter.
- Fixed handling of arrays when converting notable events to incidents.
- IBM QRadar
- Fixed an issue in which the fetch-incidents function failed while enriching fetched offenses with source and destination IP addresses.
- Fixed an issue in which the qradar-delete-reference-set-value command failed to delete reference sets with the "\" character in their names.
- Proofpoint TAP v2
Fixed the fetch-incidents function when the last_fetch time range is greater than 1 hour. - Tenable.io
Fixed the raw-response argument for all commands. - Mail Sender (New)
- The integration ignores the FQDN configuration parameter if it is empty or contains only white spaces.
- Added the raw_message argument to the send-mail command.
- Cloaken
Added the cloaken-screenshot-url command. - GitHub
- Improved implementation of the default value for the fetch_time parameter.
- Added 4 commands.
- GitHub-list-pr-review-comments
- GitHub-update-pull-request
- GitHub-is-pr-merged
- GitHub-create-pull-request
Scripts
5 New Scripts
- LastArrayElement
Returns the last element of an array. If the value passed is not an array, it returns the original value that was passed. - EmailDomainWhitelist
Accepts an array of domains as a whitelist, and a list of email addresses. The script then filters out any email address whose domain is not in the whitelist. The filtered list will be returned as an array. - FirstArrayElement
Returns the first element of an array. If the value passed is not an array, it returns the original value that was passed. - EmailDomainBlacklist
Accepts an array of domains as a blacklist, and a list of email addresses. The script then filters out any email address whose domain is in the blacklist. The filtered list will be returned as an array. - ConvertFile
Converts a file from one format to a different format by using the convert-to function of Libre Office.
5 Improved Scripts
- XDRSyncScript
The XDRSyncScript now works. - CheckEmailAuthenticity
Updated the descriptions for arguments. - UnEscapeURLs
Added handling of Proofpoint v3 URLs. - GetDockerImageLatestTag
Fixed an issue where the script did not return the latest tag. - IsMaliciousIndicatorFound
- Added the includeManual argument, which applies the manually assigned indicator severity to the indicator. This overrides the DBot score.
- When a user manually assigns a reputation to an indicator, the reputation is applied to all instances of the indicator regardless of the type.
Playbooks
7 New Playbooks
- Phishing - Core
Provides a basic response to phishing incidents. The playbook includes the following features:- Calculates reputation for all indicators.
- Extracts indicators from email attachments.
- Calculates severity for the incident based on indicator reputation.
- Updates reporting user about investigation status.
- Allows manual remediation of the incident.
- Get File Sample By Hash - Generic v2
- This playbook returns a file sample correlating to a hash in the war-room using the following sub-playbooks:.
- Get File Sample By Hash - Carbon Black Enterprise Response.
- Get File Sample By Hash - Cylance Protect v2.
- Retrieve File from Endpoint - Generic
This playbook retrieves a file sample from an endpoint using the following playbooks:.- Get File Sample From Path - Generic.
- Get File Sample By Hash - Generic v2.
- Get File Sample By Hash - Cylance Protect v2
This playbook returns a file sample to the War Room given the file's SHA256 hash, using Cylance Protect v2 integration. - PAN-OS - Create Or Edit Rule
Creates or edits a Panorama rule and moves it to the desired position. - Prisma Cloud Remediation - AWS Inactive Users For More Than 30 Days
Remediates Prisma Cloud Alert Inactive users for more than 30 days, this playbook deactivates the user by disabling the access keys (marking them as inactive) as well as resetting the user console password. To increase the security of your AWS account, it is recommended to find and remove IAM user credentials (passwords, access keys) that have not been used within a specified period of time. - Process Email - Core
Add email details to the relevant context entities and handle the case where original emails are attached.
6 Improved Playbooks
- PanoramaCommitConfiguration
Improved descriptions and added emphasis on playbook deprecation. - Phishing Investigation - Generic v2
Added a task to save the reporter email address in an incident field, so it can be displayed on the summary page. - Process Email - Generic
- Fixed an issue where playbook did not populate the raw HTML field that is displayed in the phishing layout.
- The rasterize-email command is now available in offline mode.
- PAN-OS EDL Setup
- Added support for attaching the EDL to an existing rule.
- Added support for moving new rules to a required position in the rulebase.
- PAN-OS DAG Configuration
- Added support for attaching the DAG to an existing rule.
- Added support for moving new rules to a required position in the rulebase.
- URL Enrichment - Generic v2
Added a tag for URL screenshots, which can be used to distinguish between incident files and screenshots during the investigation stage.
Widgets
Improved Widget
- Incident Severity by Type
Incident types are now sorted by severity.
Incident Fields
- Reporter Email Address
The email address of the user who reported the email. - URL SSL Verification
Indicates whether the URLs passed the SSL certificate verification. - Email Headers
A list of all of the email headers.
Incident Layouts
Improved Incident Layout
- Phishing - Summary
Improved several widgets for the summary layout, including widget size and location.