demisto/content 19.12.1

Demisto Content Release 19.12.1 (36874)

on GitHub

Demisto Content Release Notes for version 19.12.1 (36874)

Published on 25 December 2019

Integrations

9 New Integrations

• Microsoft Graph Calendar
  Use the Microsoft Graph Calendar integration to create and manage different calendars and events according to your requirements.
• Lockpath KeyLight v2
  Use the LockPath KeyLight integration to manage GRC tickets in the Keylight platform.
• Flashpoint
  Use the Flashpoint integration to reduce business risk.
• Infoblox
  Use the Infoblox integration to to receive metadata about IPs in your network, and manage the DNS Firewall by configuring RPZs.
• PhishLabs IOC DRP
  Use the PhishLabs IOC DRP integration to retrieve live feeds of Digital Risk Protection from PhishLabs.
• McAfee DXL
  Use the McAfee DXL integration to enable different products to communicate via a standard API.
• SecBI
  Use the SecBI integration, a threat, intelligence, and investigation platform, to enable automation of detection and investigation, including remediation and prevention policy, the enforcements on all integrated appliances.
• Akamai WAF SIEM
  Use the Akamai WAF SIEM integration to retrieve security events from Akamai Web Application Firewall (WAF) service.
• OpenLDAP (Beta)
  Use the OpenLDAP (Beta) integration to authenticate using Open LDAP.

27 Improved Integrations

• Palo Alto Networks Cortex
  Fixed an issue with the fetch incidents function in which failed jobs raised an exception.
• Microsoft Graph User
  Added content-version and content-name headers to Oproxy request.
• Microsoft Graph Mail
  Added content-version and content-name headers to Oproxy request.
• Cofense Triage
  Fixed an issue with test module.
• Joe Security
  Fixed an issue in the joe-analysis-submit-sample command where the system field output returned duplicates.
• Microsoft Graph Groups
  Added content-version and content-name headers to Oproxy request.
• IBM QRadar
  Fixed an issue in which the qradar-get-assets command failed when a user supplied a value for the fields parameter.
• LogRhythm
  The lr-execute-query command now works as expected.
• PhishLabs IOC EIR
  • Added the period argument to the phishlabs-ioc-eir-get-incidents command, which defines the time range for which to return incidents.
  • Improved implementation of the fetch incidents functionality.
  • Improved the integration documentation.
  • Changed the display name to PhishLabs IOC EIR.
• Palo Alto Networks AutoFocus V2
  Added 4 reputation commands.
  • ip
  • domain
  • file
  • url
• SplunkPy
  Enhanced the execution speed of the splunk-search command.
• Azure Security Center v2
  Added content-version and content-name headers to Oproxy request.
• Carbon Black Enterprise Live Response
  • Deprecated the cb-memdeump command. Use the cb-memdump command instead.
  • Fixed an issue where the cb-memdeump did not initiate a memory dump on the server endpoint.
• Azure Compute v2
  Added content-version and content-name headers to Oproxy request.
• Mimecast
  • Added 9 commands.
    • mimecast-find-groups
    • mimecast-get-group-members
    • mimecast-add-group-member
    • mimecast-remove-group-member
    • mmimecast-create-group
    • mimecast-update-group
    • mimecast-create-remediation-incident
    • mimecast-get-remediation-incident
    • mimecast-search-file-hash
  • Fixed an issue with instance SSL configuration.
• IntSights
  Fixed an issue with the is-hidden and the rate arguments in the intsights-close-alert command.
• Tanium v2
  Fixed an issue where the tn-get-question-result command returned empty results.
• RSA Archer
  Fixed an issue where reports generated from the GenerateInvestigationReport script failed to upload to RSA Archer.
• Active Directory Query v2
  Fixed a typo in the name of the custom-field-data argument.
• Gmail
  • Added a new command.
    • gmail-get-role
  • Improved the outputs for the following commands.
    • gmail-get-user-roles
    • gmail-list-filters
    • gmail-add-filter
• EWS v2
  Fixed an issue where threads did not close after executing commands.
• EWS Mail Sender
  Improved performance and functionality.
• Microsoft Graph Security
  Added content-version and content-name headers to Oproxy request.
• RSA NetWitness v11.1
  Fixed an issue where the environment proxy affected the integration, when no proxy should be used.
• CrowdStrike Falcon
  • Added the following real-time response API commands.
    • cs-falcon-run-command
    • cs-falcon-upload-script
    • cs-falcon-get-script
    • cs-falcon-delete-script
    • cs-falcon-list-scripts
    • cs-falcon-upload-file
    • cs-falcon-delete-file
    • cs-falcon-get-file
    • cs-falcon-list-files
    • cs-falcon-run-script
  • Added the email argument to the cs-falcon-resolve-detection command, which can be used instead of the ids argument.
• Rasterize
  Fixed an issue with the rasterize command in which child processes were defunct.
• Windows Defender Advanced Threat Protection
  Added content-version and content-name headers to Oproxy request.

2 Deprecated Integrations

• Intezer
  Use the Intezer v2 integration instead.
• Lockpath Keylight
  Use the Lockpath Keylight v2 integration instead.

Scripts

4 New Scripts

• RegexExtractAll
  • Extracts all matches from a specified regular expression pattern from a provided string. Returns an array of results and
    all matches of a specified pattern, not just specific groups. Useful for extraction, using a pattern where the content of the source string is indeterminate, such as extracting all email addresses. The 'regex' library is used and supports more advanced regex functionality than the standard 're' library.
  • The following arguments have been added.
    • The convenience argument, which enhances usability, multi-line, ignore_case, and period_matches_newline.
    • The error_if_no_match argument. The script will not throw an error if a match is not found. If it does not use a transformer within a playbook, you might want to throw an error if the expression doesn't match.
• GetMLModelEvaluation
  Finds a threshold for the ML model and performs an evaluation based on it.
• PrettyPrint
  Pretty-print data using Python's pprint library. This is useful for seeing the structure of an incident and context data.
• KeylightCreateIssue
  Use this script to simplify the process of creating or updating a record in Keylight v2.

11 Improved Scripts

• IPv4Blacklist
  • Improved script implementation.
  • Breaking changes: updated Docker image.
• DBotPredictPhishingWords
  • Added support for text highlighting.
  • Added support for minimum text-length argument.
  • Added an argument, when there is prediction, not to return an error.
• GetTime
  Fixed an issue where providing a date input from context returned the current date instead of the provided date.
• IPv4Whitelist
  • Improved script implementation.
  • Breaking changes: updated Docker image.
• UnzipFile
  The file size (in bytes) is returned as expected.
• SaneDocReports
  • Fixed an issue where the line chart x-axis was not readable.
  • Fixed an issue with the graph width.
• IsRFC1918Address
  • Improved script implementation.
  • Breaking changes: updated the script Docker image.
• IsNotInCidrRanges
  • Improved script implementation.
  • Breaking changes: updated the script Docker image.
• DBotTrainTextClassifierV2
  Added new evaluation methodology and metrics to the logic of the trained model.
• IsInCidrRanges
  • Improved script implementation.
  • Breaking changes: updated the script Docker image.
• ParseEmailFiles
  Added handling for cases where an attachment has neither the DisplayName nor the AttachFilename properties.

Playbooks

5 New Playbooks

• CVE Enrichment - Generic v2
  Performs CVE Enrichment using the following integrations.
  • VulnDB
  • CVE Search
  • IBM X-Force Exchange
• Active Directory - Get User Manager Details
  Takes an email address or a username of a user account in an Active Directory, and returns the email address of the user's manager.
• PANW - Hunting and threat detection by indicator type
  This is a multipurpose playbook used for hunting and threat detection. The playbook receives inputs based on file hashes, IP addresses, or domain names provided manually or taken from outputs of other playbooks.
• Block IOCs from CSV - External Dynamic List
  Parses a CSV file with IOCs and blocks them using Palo Alto Networks External Dynamic Lists.
• QRadar Indicator Hunting
  Queries QRadar SIEM for indicators, such as file hashes, IP addresses, domains, and URLs.

14 Improved Playbooks

• Endpoint Malware Investigation - Generic
  Added new playbook inputs.
• Intezer - Analyze by hash
  Fixed an issue where the playbook finished before the analysis was completed.
• PAN-OS - Block URL - Custom URL Category
  Added new playbook inputs.
• DBot Create Phishing Classifier V2
  Updated evaluation metrics of the trained model.
• Intezer - Analyze Uploaded file
  Fixed an issue where the playbook finished before the analysis was completed.
• PAN-OS EDL Setup
  Rule position is no longer mandatory, the default position was changed to Top.
• Palo Alto Networks - Endpoint Malware Investigation
  • Added the new sub-playbook PANW - Hunting and threat detection by indicator type.
  • Added new playbook inputs.
• PAN-OS - Block IP and URL - External Dynamic List
  • Fixed an issue with EDL refresh for Panorama.
  • Added new playbook inputs.
• PAN-OS - Create Or Edit Rule
  Rule position is no longer mandatory, and the default position was changed to Bottom.
• PAN-OS DAG Configuration
  Rule position is no longer mandatory, and the default position was changed to Top.
• Access Investigation - Generic - NIST
  • Fixed inputs for IP Enrichment - Generic v2.
  • Removed the Change severity task.
• Block IP - Generic v2
  Added playbook inputs to establish the PAN-OS remediation path.
• Palo Alto Networks - Malware Remediation
  Added the new sub-playbook PAN-OS - Block Domain - External Dynamic List.
• PAN-OS - Block Domain - External Dynamic List
  • Fixed an issue with EDL refresh for Panorama.
  • Added new playbook inputs.