Demisto Content Release Notes for version 19.12.0 (35835)
Published on 10 December 2019
Integrations
5 New Integrations
- Accessdata
Use the Accessdata integration to protect against and provide additional visibility into phishing and other malicious email attacks. - IronDefense
Use the IronDefense Integration to rate alerts, update alert statuses, add comments to alerts, and to report observed bad activity. - Microsoft Graph Groups
Use the Microsoft Graph Groups integration to create and manage different types of groups and group functionality. - Gmail Single User (Beta)
Use the Gmail Single User integration to send and receive emails from a single user's mailbox. Authentication is performed using OAuth 2.0 protocol. - Blue Coat Content and Malware Analysis (Beta)
Blue Coat Content and Malware Analysis.
22 Improved Integrations
- MISP V2
You can now filter an event by attribute data fields. - Alexa Rank Indicator
- Added fallback for when the default endpoint is inaccessible.
- Added support for connection from a proxy.
- Updated DBotScore outputs.
- CrowdStrike Falcon Sandbox
The crowdstrike-submit-sample command now works as expected. - PhishLabs IOC EIR v2
Changed the display name to PhishLabs EIR v2. - Microsoft Graph User
Fixed an issue where the msgraph-user-create command did not work if the optional argument other_properties was not supplied. You can now run this command without supplying the other_properties argument. - RSA Archer
- Fixed an issue when retrieving app IDs for applications with reverse field mapping.
- Added support for multiselect fields in the following commands.
- archer-create-record
- archer-update-record
- Added support for specifying users in type 8 fields in the following commands.
- archer-create-record
- archer-update-record
- WhatIsMyBrowser
Added support for the extend-context argument in the ua-parse command. - LogRhythm
Fixed an issue with an error message in the lr-get-alarms command. - Palo Alto Networks PAN-OS EDL Management
- Updated the detailed description.
- Fixed an issue where the pan-os-edl-update command failed when the file path included space characters at scp_execute().
- Fixed an issue where the ssh_execute() function failed when the file name included space characters.
- Added the following commands.
- pan-os-edl-update-internal-list
- pan-os-edl-update-external-file
- VirusTotal
- Added batch support for the reputation commands (ip, url, and domain).
- Fixed an issue where the DBotScore would create duplications in the incident context. This effects Demisto v5.5 and later.
- Symantec Managed Security Services
You can now use special characters in comments when running the symantec-mss-update-incident command. - Atlassian Jira (v2)
Improved support for the following authentication methods. (Requires Demisto v5.0)- Basic
- OAuth 1.0
- Exabeam
- Improved error handling.
- Added the prefix exabeam- to all commands.
- Added 2 new commands.
- exabeam-delete-watchlist
- exabeam-get-asset-data
- FireEye HX
Fixed an issue where fireeye-hx-file-acquisition command would fail on a timeout. - Anomali ThreatStream v2
- The threatstream-import-indicator-with-approval command now works as expected.
- Added support for comma-separated values in reputation commands (ip, file, domain, and url).
- Palo Alto Networks PAN-OS
- Fixed an issue where the status log queries that returned zero results did not update to Completed.
- Added 2 commands.
- panorama-get-url-category-from-cloud
- panorama-get-url-category-from-host
- Added support to get, create, and edit custom URL category objects, including using the categories attribute in PAN-OS v9.x and above.
- EWS Mail Sender
Fixed issue where threads not closed after executing the command. - Active Directory Query v2
Improved handling of error messages. - PhishLabs IOC EIR
Changed the display name to Phishlabs IOC EIR. - Microsoft Graph Mail
Added 7 new commands.- msgraph-mail-list-folders
- msgraph-mail-list-child-folders
- msgraph-mail-create-folder
- msgraph-mail-update-folder
- msgraph-mail-delete-folder
- msgraph-mail-move-email
- msgraph-mail-get-email-as-eml
- Slack v2
- Fixed an issue where mirrored investigations contained mismatched user names.
- Added reporter and reporter email as labels to incidents that are created by direct messages.
- CrowdStrike Falcon
Fixed an issue with fetch incidents, which caused incident duplication.
Deprecated Integration
- Phishme Intelligence
Use the Cofense Intelligence integration instead.
Scripts
5 New Scripts
- AccessdataCheckProcessExistsInSnapshot
Reads the contents of the processes list XML file from context and checks if the given process exists in the process list. - GetEWSFolder
Retrieves emails from multiple folders of an account in a single batch. - ExportMLModel
Exports an existing machine learning (ML) model to a file. - ImportMLModel
Imports a file that contains a machine learning (ML) model. - ConvertAllExcept
Converts all selected values but exceptions.
9 Improved Scripts
- ReadPDFFileV2
- Added support for processing PDF files that generate a warning.
- Fixed an issue with URL extraction from PDF files.
- ParseEmailFiles
Fixed an issue with handling smime signed files with no attachments. - CheckEmailAuthenticity
- Fixed an issue where the script did not properly determine the authenticity of some emails.
- Fixed an issue where DKIM Signing-Domain was not identified.
- ZipFile
Fixed an issue where output values did not match the output paths. - QRadarGetOffenseCorrelations
Added support for different CRE name default values. - UnzipFile
Fixed an issue where supplying a wrong password would still upload a file to the War Room. - UnEscapeURLs
Fixed an issue where special characters in URLs were parsed incorrectly. - ProofpointDecodeURL
Deprecated. Changed to call UnEscapeURLs. - QRadarGetCorrelationLogs
Added support for different CRE name default values.
Playbooks
3 New Playbooks
- PAN-OS Query Logs For Indicators
This playbook queries the following PAN-OS log types: traffic, threat, url, data-filtering and wildfire. The playbook accepts inputs such as IP, hash, and url. - Get Mails By Folder Pathes
This playbook retreives emails from specified folders and executes pre-processing using EWS. - Accessdata: Dump memory for malicious process
Use this playbook as a sub-playbook to dump memory if a given process is running on a legacy AD agent.
2 Improved Playbooks
- PAN-OS Commit Configuration
Removed PA-VM as the firewall identifier and changed the condition to else. - PhishingDemo-Onboarding
The playbook now uses the updated File output context path of the extractIndicators command.
Reports
Improved Report
- Critical and High incidents
Table column names are now capitalized.
Classification & Mapping
New Classification & Mapping
- Gmail Single User
Gmail Single User integration now supports the OAuth 2.0 protocol.
2 Improved Classification & Mapping
- RedLock
Updated the classifier with a new transformer. - prismaCloud_app
Updated the classifier with a new transformer.