Demisto Content Release Notes for version 19.11.1 (34712)
Published on 26 November 2019
Integrations
7 New Integrations
- Azure Security Center v2
Unified security management and advanced threat protection across hybrid cloud workloads. - JsonWhoIs
Provides data enrichment for domains and IP addresses. - Microsoft Graph Mail Single User
Microsoft Graph allows Demisto authorized access to a user's Outlook mail data in a personal or organization account. - PhishLabs IOC EIR
Get live feeds of IOC data from PhishLabs. - Tanium v2
Tanium endpoint security and systems management. - Azure Compute v2
Create and manage Azure VMs. - FireEye Helix
FireEye Helix is a security operations platform that integrates security tools and augments them with next-generation SIEM, orchestration and threat intelligence tools such as alert management, search, analysis, investigations and reporting.
25 Improved Integrations
- EWS v2
- Improved logging.
- Added the Max incidents per fetch parameter, which specifies the maximum number of incidents to retrieve per fetch. The maximum is 50.
- Microsoft Graph User
Added pagination to the msgraph-user-list command. - Red Canary
Added the Reason, EndpointID, and EndpointUserID keys to detections context. - Hybrid Analysis
- Added the jobID, sha256 and environmentID arguments to the hybrid-analysis-get-report-status command.
- Added the malicious_threat_levels argument to the hybrid-analysis-detonate-file command.
- The hybrid-analysis-detonate-file command now works as expected.
- RSA Archer
Fixed an issue with the presentation of user display names. - Carbon Black Enterprise Response
Added the cb-binary-download command, which replaces the deprecated cb-binary-get command. - ArcSight ESM v2
Fixed an issue with the response encoding. - Anomali ThreatStream v2
Fixed an issue with DBotScore context data. - SentinelOne V2
Fixed an issue in the Fetch incidents function. - Palo Alto Networks PAN-OS
- Added support for a list of job_id in the panorama-query-logs and panorama-check-logs-status commands.
- Added the ip argument in the panorama-query-logs command.
- IBM QRadar
Fixed an issue in outputs for the get-search-results command. - Tenable.io
Fixed an issue in the tenable-io-get-vulnerabilities-by-asset command. - Palo Alto Networks WildFire v2
- Added validation to the server parameter.
- Fixed an issue with DBotScore context data.
- RSA NetWitness Packets and Logs
Fixed an issue in query parsing. - MISP V2
Added support to search events by tags using the logical operators AND, OR, and NOT. - Stealthwatch Cloud
Fixed an issue where incidents were fetched multiple times. - Slack v2
- Added Slack API rate limit call handling.
- Added an optional parameter to specify a proxy URL to use with the Slack API.
- McAfee Advanced Threat Defense
Fixed an issue with the integration's proxy settings. - Proofpoint TAP v2
- Fixed the fetch-incidents function, which did not fetch duplicate values.
- Added the proofpoint-get-forensics command.
- Added context outputs for the proofpoint-get-events command.
- SumoLogic
- Added the fetchDelay parameter, which defines the time between fetch-incidents executions.
- Added the fetchRecords parameter to fetch aggregate results (instead of messages).
- Updated the SumoLogic logo.
- AWS - ACM
Bugfix for Proxy/Insecure issues. - Atlassian Jira (v2)
Added the attachmentName parameter to the jira-issue-upload-file command, which sets the attachment name in Jira. - nmap
Fixed an issue in nmap scans with the -sn flag. - Have I Been Pwned? V2
Added batch support for domain and email commands. - Cofense Triage
Fixed an issue with the test module.
4 Deprecated Integrations
- ExtraHop
We recommend using the ExtraHop Reveal(x) integration instead. - Azure Compute
Deprecated. - Azure Security Center
Deprecated. - AlienVault OTX
We recommend using the AlienVault OTX v2 integration instead.
Scripts
2 New Scripts
- SetIfEmpty
Checks an object for an empty value and returns a preset default value. - ExtractFQDNFromUrlAndEmail
Extracts FQDNs from URLs and emails.
7 Improved Scripts
- PositiveDetectionsVSDetectionEngines
- Displays a bar chart of the number of Positive Detections out of overall detections. Tagged as dynamic-indicator-section.
- Fixed an issue that made zero-values return wrong results.
- CommonServerPython
BaseClient now uses the session function to maintain an open session with the server. - FilterByList
Added the option to search for an exact match. - ExtractDomainFromUrlAndEmail
Added support to identify URLs and domains prefixed with http: or http:\. - UnEscapeURLs
Added support to identify URLs and domains prefixed with http: or http:\. - StixParser
You can now parse single-object STIX 2 files. - SumList
- Fixed an issue with handling input as a comma-separated string.
- Added support for floating numbers.
Playbooks
11 New Playbooks
- Access Investigation - Generic - NIST
Investigates an access incident by gathering user and IP information, and handling the incident based on the stages in "Handling an incident - Computer Security Incident Handling Guide" by NIST. - PAN-OS - Block Domain - External Dynamic List
Blocks domains using Palo Alto Networks Panorama or Firewall External Dynamic Lists. - Convert file hash to corresponding hashes
Enables you to get all of the corresponding file hashes for a file even if there is only one hash type available. - Tanium - Get Saved Question Result
Uses generic polling to get saved question results. - Endpoint Malware Investigation - Generic
This playbook is triggered by a malware incident from an Endpoint type integration. The playbook performs enrichment, detonation, and hunting within the organization, and remediation on the malware. - NIST - Handling an Incident Template
This playbook contains the phases to handling an incident as described in the Handling an Incident section of NIST - Computer Security Incident Handling Guide. - Prisma Cloud Remediation - AWS IAM Password Policy Misconfiguration
Remediates Prisma Cloud AWS IAM password policy alerts. - Prisma Cloud Remediation - AWS IAM Policy Misconfiguration
Remediates Prisma Cloud AWS IAM policy alerts. - NIST - Lessons Learned
This playbook assists in processing an incident after it occurs and facilitates the lessons learned stage. - FireEye Helix Archive Search
Creates an archive search in FireEye Helix, and fetches the results as events. - Tanium - Ask Question
Uses generic polling to get question results.
6 Improved Playbooks
- Impossible Traveler
The countries from which the user logged in are now saved in incident fields and are displayed in the layout. - Isolate Endpoint - Generic
Added playbook outputs. - Panorama Query Logs
Added the ip argument to the playbook. - Phishing - Core
Fixed an issue where Rasterize would attempt to run even if inactive. - Traps Isolate Endpoint
Added playbook outputs. - Extract Indicators From File - Generic v2
Extracts indicators from a file.
Widgets
Improved Widget
- Page Break Widget
Fixed an issue in the page break widget for PDF and DOC reports.
Incident Fields
- Threat Actor
The threat actor. - Host Name
The host name. - Previous Country
The country from which the user previously logged in. - NIST Stage
The investigation's current NIST stage.- Associated to Malware incident type.
- Associated the field with the Impossible Traveler event type.
Incident Layouts
New Incident Layout
- Malware - Summary
Added a layout for the Malware incident type. Requires Demisto v5.0.
Improved Incident Layout
- Impossible Traveler - Summary
Added a layout for the Impossible Traveler incident type.
Classification & Mapping
New Classification & Mapping
- Microsoft Graph Mail Single User
Added a classifier for the Microsoft Graph Mail Single User integration.
Reputations
- Added support to identify URLs and domains prefixed with http: or http:\.
- Added support for FQDN extraction as a domain indicator type.