demisto/content 19.11.0

Demisto Content Release version 19.11.0 (33434)

on GitHub

Demisto Content Release Notes for version 19.11.0 (33434)

Published on 12 November 2019

Integrations

6 New Integrations

• Vectra v2
  Automated attacker behavior analytics.
• Google Key Management Service
  Use the Google Key Management Service API for CryptoKey management and encrypt/decrypt functionality.
• ExtraHop Reveal(x)
  Network detection and response. Complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response.
• SecurityAdvisor
  Contextual coaching and awareness for end users.
• AlienVault OTX v2
  Query Indicators of Compromise in AlienVault OTX.
• DomainTools Iris
  A threat, intelligence, and investigation platform for domain names, IP addresses Email addresses, Name Severs, and so on.

22 Improved Integrations

• ArcSight Logger
  • Fixed an issue where date fields in search results were in epoch format instead of human readable format.
  • Added a function to handle chart operations in the logger search.
• SplunkPy
  Increased the maximum fetch limit for Splunk.
• Qualys
  Improved implementation of the qualys-vm-scan-launch command.
• Uptycs
  Fixed an issue where users could not set an asset tag with a key that already exists by adding a new column, ancestor_list, to the process_events table in osquery. This simplifies computing of the parent-child lineage of processes.
• Netskope
  Added the ability to fetch alerts as incidents.
• Kenna
  Improved inputs and outputs of the kenna-search-fixes command.
• Red Canary
  Fixed an issue where non-Active Directory user names caused an "index out of range" exception.
• Rasterize
  Added support for the px suffix in the width and height parameters.
• Palo Alto Networks PAN-OS
  • Fixed an issue where the panorama-custom-block-rule command failed when trying to block an EDL or an address group object.
  • Changed the url argument from equals to contains in the panorama-log-query command.
  • Improved descriptions in the panorama-move-rule command.
• EWS v2
  • Improved implementation of the ews-move-item-between-mailboxes command.
  • The email body now prints to context and the War Room for the following commands:
    • ews-get-items
    • ews-search-mailbox
• Mail Sender (New)
  • Added support for versions of smtplib that use stderr from sys.
  • Fixed support for CRAM-MD5 authentication.
• Palo Alto Networks PAN-OS EDL Management
  • Fixed an issue where the pan-os-edl-update command failed when the file path included space characters at scp_execute().
  • Fixed an issue where the ssh_execute() function failed when the file name included space characters.
• Palo Alto Networks Cortex
  Fixed an issue with the Test module.
• RSA Archer
  • Fixed an issue in the Archer fetch incidents offset.
  • Fixed an issue in the fetched incidents details.
  • Improved errors and added debug logs.
• BeyondTrust Password Safe
  Fixed an issue where stored credentials were using a non-unique identifier.
• ProtectWise
  • Fixed an issue where events were not fetched properly.
  • Added the ability to limit the number of fetched incidents per fetch.
  • Fixed outputs for the protectwise-event-info command.
• urlscan.io
  Fixed a typo in an error message.
• Elasticsearch v2
  Added support for timestamps.
• RSA NetWitness v11.1
  • Added the Fetch Limit parameter.
  • Fixed an issue where an unsupported timestamp format caused the integration to fail.
• Palo Alto Networks AutoFocus V2
  Added descriptions to the autofocus-tag-details command.
• Carbon Black Enterprise Response
  Added the decompress argument to the cb-binary-get command.
• Kafka V2
  Updated the Docker image demisto/pykafka to version 1.0.0.3321 (requires Demisto 5.0).

Scripts

14 New Scripts

• IPv4Blacklist
  Transformer that returns a filtered list of IPv4 addresses, based on whether they do not match a comma-separated list of IPv4 ranges. Useful for filtering out internal IP address space.
• IsNotInCidrRanges
  Checks whether an IPv4 address is not contained in one or more comma-delimited CIDR ranges.
• IPv4Whitelist
  Transformer that returns a filtered list of IPv4 addresses, based on whether they match a comma-separated list of IPv4 ranges. Useful for filtering in internal IP address space.
• GetByIncidentId
  Gets a value from the specified incident's context.
• IsInCidrRanges
  Determines whether an IPv4 address is contained in one or more comma-delimited CIDR ranges.
• CalculateGeoDistance
  Computes the distance between two sets of coordinates, in miles.
• IsRFC1918Address
  A filter that determines whether an IPv4 address is in the private RFC-1918 address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). For more information, see https://en.wikipedia.org/wiki/Private_network.
• ExtraHopTrackIncidents
  Links an incident investigation back to the ExtraHop Detection that created it.
• ProvidesCommand
  Determines which integrations implement a specific Demisto command. The results will be returned as comma-separated values (CSV). The "Demisto REST API" integration must first be enabled.
• CalculateTimeDifference
  Calculate the time difference, in minutes.
• DBotPreProcessTextData
  Pre-process text data for the machine learning text classifier.
• DBotBuildPhishingClassifier
  Create a phishing classifier using machine learning technique, based on email content.
• DBotTrainTextClassifierV2
  Train a machine learning text classifier.
• GetIncidentsByQuery
  Gets a list of incident objects and the associated incident outputs that match the specified query and filters. The results are returned in a structured data file.

9 Improved Scripts

• UnEscapeURLs
  Improved handling of Proofpoint v3 URLs.
• SearchIncidents
  • Fixed the examples in command descriptions.
• RegexGroups
  Updated the RegexGroups transformer to Python 3 in order to support special ASCII characters and additional error handling (requires Demisto 5.0).
• SaneDocReports
  • Fixed table and list functions.
  • Fixed an issue where trends have long floating point values.
  • Fixed an issue where line charts with more than 40 columns were not readable.
• CopyContextToField
  Added the ability to set the value of an incident field from the value of a context key. If the context key is a list, the first element of the list is taken as the value.
• DeleteContext
  Added the auto option to the subplaybook argument. Use auto to delete either from the sub-playbook context (if the playbook is called as a sub-playbook) or from the global context (if the playbook is the master playbook).
• CommonServerPython
  Fixed the IntegrationLogger auto-replace of sensitive strings.
• HTMLDocsAutomation
  • Fixed an issue where commands in the top part were in the format name:name instead of description:name.
  • Added links for the list of commands to each command.
• XDRSyncScript
  Fixed an issue where the XDRSyncScript script executed the xdr-update-incident command even when required arguments were empty.

Playbooks

11 New Playbooks

• ExtraHop - Ticket Tracking
  Links the Demisto incident back to the ExtraHop detection that created it for ticket tracking purposes. Documentation was provided by ExtraHop.
• ExtraHop - Get Peers by Host
  Given a host, the playbook will retrieve the peer network devices that communicated with that host in a given time range. In addition to a list of peers and protocols (sorted by bytes) the playbook returns a link to the ExtraHop Live Activity Map to visualize the peer relationships.
• Block Indicators - Generic v2
  This playbook blocks malicious Indicators using all integrations that are enabled, using several sub-playbooks.
• Impossible Traveler
  This playbook investigates an event whereby a user has multiple application login attempts from various locations in a short time period (impossible traveler).
• Indicator Pivoting - DomainTools Iris
  Pivots are used to gather data that share a common attribute with a domain. For instance, pivoting on an IP Address will give you back all domains related to that IP address.
• ExtraHop - Default
  This is the default playbook to run for all ExtraHop Detection incidents, which handles ticket tracking and triggers specific playbooks based on the name of the ExtraHop Detection. Documentation was provided by ExtraHop.
• Isolate Endpoint - Generic
  This playbook isolates a given endpoint.
• Block File - Cybereason
  This playbook accepts an MD5 hash and blocks the file using the Cybereason integration.
• Block File - Generic v2
  This playbook is used to block files from running on endpoints.
• Block File - Cylance Protect v2
  This playbook accepts a SHA256 hash and adds the hash to the Global Quarantine list using the Cylance Protect v2 integration.
• DBot Create Phishing Classifier V2
  Create a phishing classifier using machine learning technique, based on email content.
• DBot Create Phishing Classifier V2 Job
  Train the phishing machine learning model. This playbook should be used as job, to run repeatedly, for example every week.

3 Improved Playbooks

• Block IP - Generic v2
  Fixed output descriptions.
• Endpoint Enrichment - Generic v2.1
  Added support for the ExtraHop Reveal(x) integration.
• Phishing Investigation - Generic v2
  • Fixed an issue where the task that saves the email address of the reporter of the phishing email was disconnected from the previous task.
  • Fixed an issue where the DT that was used to get the display name of the user who reported the email was invalid.

Widgets

New Widget

• Page Break Widget
  Use the page break widget in a report to force a page break before the widgets that follow.

Incident Fields

19 New Incident Fields

• Sign In Date Time
  The date and time when the second sign in of the user occurred, in ISO-8601 format.
• Coordinates
  The coordinates of the location from which the user logged in.
• Source IP
  The IP address from which the user initially logged in.
• Raw Participants
  Raw list of participant objects associated with the ExtraHop Reveal(x) detection.
• ExtraHop Hostname
  Hostname of the ExtraHop Reveal(x) that created the detection.
• Risk Score
  Risk score associated with the ExtraHop Reveal(x) detection.
• Previous Sign In Date Time
  The date and time when the first sign in of the user occurred, in ISO-8601 format.
• Username
  The username of the account who logged in.
• Detection ID
  ID of the ExtraHop Reveal(x) detection.
• Destination IP
  The IP address to which the impossible traveler logged in.
• Travel Map Link
  The link to a map that shows the travel path of the user.
• Detection Update Time
  Timestamp of when the ExtraHop Reveal(x) detection was last updated.
• Detection Ticketed
  Whether the incident is tracked to the corresponding detection in ExtraHop Reveal(x).
• Previous Coordinates
  The coordinates of the location from which the user previously logged in.
• Participants
  List of participant objects associated with the ExtraHop Reveal(x) detection.
• Detection End Time
  Timestamp of when the ExtraHop Reveal(x) detection ended.
• Previous Source IP
  The previous IP address from which the user logged in.
• Detection URL
  URL of the ExtraHop Reveal(x) detection.
• ExtraHop Appliance ID
  Appliance ID of the ExtraHop Reveal(x) that created the detection.

Incident Layouts

6 New Incident Layouts

• ExtraHop Detection - Mobile
  Added a layout for the ExtraHop Detection incident type.
• ExtraHop Detection - Close
  Added a layout for the ExtraHop Detection incident type.
• ExtraHop Detection - New/Edit
  Added a layout for the ExtraHop Detection incident type.
• ExtraHop Detection - Summary
  Added a layout for the ExtraHop Detection incident type.
• Impossible Traveler - Summary
  Added a layout for the Impossible Traveler incident type.
• ExtraHop Detection - Quick View
  Added a layout for the ExtraHop Detection incident type.