Demisto Content Release Notes for version 19.12.1 (36874)
Published on 25 December 2019
Integrations
9 New Integrations
- Microsoft Graph Calendar
Use the Microsoft Graph Calendar integration to create and manage different calendars and events according to your requirements. - Lockpath KeyLight v2
Use the LockPath KeyLight integration to manage GRC tickets in the Keylight platform. - Flashpoint
Use the Flashpoint integration to reduce business risk. - Infoblox
Use the Infoblox integration to to receive metadata about IPs in your network, and manage the DNS Firewall by configuring RPZs. - PhishLabs IOC DRP
Use the PhishLabs IOC DRP integration to retrieve live feeds of Digital Risk Protection from PhishLabs. - McAfee DXL
Use the McAfee DXL integration to enable different products to communicate via a standard API. - SecBI
Use the SecBI integration, a threat, intelligence, and investigation platform, to enable automation of detection and investigation, including remediation and prevention policy, the enforcements on all integrated appliances. - Akamai WAF SIEM
Use the Akamai WAF SIEM integration to retrieve security events from Akamai Web Application Firewall (WAF) service. - OpenLDAP (Beta)
Use the OpenLDAP (Beta) integration to authenticate using Open LDAP.
27 Improved Integrations
- Palo Alto Networks Cortex
Fixed an issue with the fetch incidents function in which failed jobs raised an exception. - Microsoft Graph User
Added content-version and content-name headers to Oproxy request. - Microsoft Graph Mail
Added content-version and content-name headers to Oproxy request. - Cofense Triage
Fixed an issue with test module. - Joe Security
Fixed an issue in the joe-analysis-submit-sample command where the system field output returned duplicates. - Microsoft Graph Groups
Added content-version and content-name headers to Oproxy request. - IBM QRadar
Fixed an issue in which the qradar-get-assets command failed when a user supplied a value for the fields parameter. - LogRhythm
The lr-execute-query command now works as expected. - PhishLabs IOC EIR
- Added the period argument to the phishlabs-ioc-eir-get-incidents command, which defines the time range for which to return incidents.
- Improved implementation of the fetch incidents functionality.
- Improved the integration documentation.
- Changed the display name to PhishLabs IOC EIR.
- Palo Alto Networks AutoFocus V2
Added 4 reputation commands.- ip
- domain
- file
- url
- SplunkPy
Enhanced the execution speed of the splunk-search command. - Azure Security Center v2
Added content-version and content-name headers to Oproxy request. - Carbon Black Enterprise Live Response
- Deprecated the cb-memdeump command. Use the cb-memdump command instead.
- Fixed an issue where the cb-memdeump did not initiate a memory dump on the server endpoint.
- Azure Compute v2
Added content-version and content-name headers to Oproxy request. - Mimecast
- Added 9 commands.
- mimecast-find-groups
- mimecast-get-group-members
- mimecast-add-group-member
- mimecast-remove-group-member
- mmimecast-create-group
- mimecast-update-group
- mimecast-create-remediation-incident
- mimecast-get-remediation-incident
- mimecast-search-file-hash
- Fixed an issue with instance SSL configuration.
- Added 9 commands.
- IntSights
Fixed an issue with the is-hidden and the rate arguments in the intsights-close-alert command. - Tanium v2
Fixed an issue where the tn-get-question-result command returned empty results. - RSA Archer
Fixed an issue where reports generated from the GenerateInvestigationReport script failed to upload to RSA Archer. - Active Directory Query v2
Fixed a typo in the name of the custom-field-data argument. - Gmail
- Added a new command.
- gmail-get-role
- Improved the outputs for the following commands.
- gmail-get-user-roles
- gmail-list-filters
- gmail-add-filter
- Added a new command.
- EWS v2
Fixed an issue where threads did not close after executing commands. - EWS Mail Sender
Improved performance and functionality. - Microsoft Graph Security
Added content-version and content-name headers to Oproxy request. - RSA NetWitness v11.1
Fixed an issue where the environment proxy affected the integration, when no proxy should be used. - CrowdStrike Falcon
- Added the following real-time response API commands.
- cs-falcon-run-command
- cs-falcon-upload-script
- cs-falcon-get-script
- cs-falcon-delete-script
- cs-falcon-list-scripts
- cs-falcon-upload-file
- cs-falcon-delete-file
- cs-falcon-get-file
- cs-falcon-list-files
- cs-falcon-run-script
- Added the email argument to the cs-falcon-resolve-detection command, which can be used instead of the ids argument.
- Added the following real-time response API commands.
- Rasterize
Fixed an issue with the rasterize command in which child processes were defunct. - Windows Defender Advanced Threat Protection
Added content-version and content-name headers to Oproxy request.
2 Deprecated Integrations
- Intezer
Use the Intezer v2 integration instead. - Lockpath Keylight
Use the Lockpath Keylight v2 integration instead.
Scripts
4 New Scripts
- RegexExtractAll
- Extracts all matches from a specified regular expression pattern from a provided string. Returns an array of results and
all matches of a specified pattern, not just specific groups. Useful for extraction, using a pattern where the content of the source string is indeterminate, such as extracting all email addresses. The 'regex' library is used and supports more advanced regex functionality than the standard 're' library. - The following arguments have been added.
- The convenience argument, which enhances usability, multi-line, ignore_case, and period_matches_newline.
- The error_if_no_match argument. The script will not throw an error if a match is not found. If it does not use a transformer within a playbook, you might want to throw an error if the expression doesn't match.
- Extracts all matches from a specified regular expression pattern from a provided string. Returns an array of results and
- GetMLModelEvaluation
Finds a threshold for the ML model and performs an evaluation based on it. - PrettyPrint
Pretty-print data using Python's pprint library. This is useful for seeing the structure of an incident and context data. - KeylightCreateIssue
Use this script to simplify the process of creating or updating a record in Keylight v2.
11 Improved Scripts
- IPv4Blacklist
- Improved script implementation.
- Breaking changes: updated Docker image.
- DBotPredictPhishingWords
- Added support for text highlighting.
- Added support for minimum text-length argument.
- Added an argument, when there is prediction, not to return an error.
- GetTime
Fixed an issue where providing a date input from context returned the current date instead of the provided date. - IPv4Whitelist
- Improved script implementation.
- Breaking changes: updated Docker image.
- UnzipFile
The file size (in bytes) is returned as expected. - SaneDocReports
- Fixed an issue where the line chart x-axis was not readable.
- Fixed an issue with the graph width.
- IsRFC1918Address
- Improved script implementation.
- Breaking changes: updated the script Docker image.
- IsNotInCidrRanges
- Improved script implementation.
- Breaking changes: updated the script Docker image.
- DBotTrainTextClassifierV2
Added new evaluation methodology and metrics to the logic of the trained model. - IsInCidrRanges
- Improved script implementation.
- Breaking changes: updated the script Docker image.
- ParseEmailFiles
Added handling for cases where an attachment has neither the DisplayName nor the AttachFilename properties.
Playbooks
5 New Playbooks
- CVE Enrichment - Generic v2
Performs CVE Enrichment using the following integrations.- VulnDB
- CVE Search
- IBM X-Force Exchange
- Active Directory - Get User Manager Details
Takes an email address or a username of a user account in an Active Directory, and returns the email address of the user's manager. - PANW - Hunting and threat detection by indicator type
This is a multipurpose playbook used for hunting and threat detection. The playbook receives inputs based on file hashes, IP addresses, or domain names provided manually or taken from outputs of other playbooks. - Block IOCs from CSV - External Dynamic List
Parses a CSV file with IOCs and blocks them using Palo Alto Networks External Dynamic Lists. - QRadar Indicator Hunting
Queries QRadar SIEM for indicators, such as file hashes, IP addresses, domains, and URLs.
14 Improved Playbooks
- Endpoint Malware Investigation - Generic
Added new playbook inputs. - Intezer - Analyze by hash
Fixed an issue where the playbook finished before the analysis was completed. - PAN-OS - Block URL - Custom URL Category
Added new playbook inputs. - DBot Create Phishing Classifier V2
Updated evaluation metrics of the trained model. - Intezer - Analyze Uploaded file
Fixed an issue where the playbook finished before the analysis was completed. - PAN-OS EDL Setup
Rule position is no longer mandatory, the default position was changed to Top. - Palo Alto Networks - Endpoint Malware Investigation
- Added the new sub-playbook PANW - Hunting and threat detection by indicator type.
- Added new playbook inputs.
- PAN-OS - Block IP and URL - External Dynamic List
- Fixed an issue with EDL refresh for Panorama.
- Added new playbook inputs.
- PAN-OS - Create Or Edit Rule
Rule position is no longer mandatory, and the default position was changed to Bottom. - PAN-OS DAG Configuration
Rule position is no longer mandatory, and the default position was changed to Top. - Access Investigation - Generic - NIST
- Fixed inputs for IP Enrichment - Generic v2.
- Removed the Change severity task.
- Block IP - Generic v2
Added playbook inputs to establish the PAN-OS remediation path. - Palo Alto Networks - Malware Remediation
Added the new sub-playbook PAN-OS - Block Domain - External Dynamic List. - PAN-OS - Block Domain - External Dynamic List
- Fixed an issue with EDL refresh for Panorama.
- Added new playbook inputs.