Demisto Content Release Notes for version 19.4.0 (20832)
Published on 02 April 2019
Integrations
6 New Integrations
- CrowdStrike Falcon
The CrowdStrike Falcon OAuth 2 API integration (formerly Falcon Firehose API), enables fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment. - ExtraHop
ExtraHop performs real-time stream analysis of the packets that carry data across a network. - Signal Sciences WAF
Protect your web application using Signal Sciences. - Snowflake
Analytic data warehouse provided as Software-as-a-Service. - Tufin
Retrieve and analyze network access controls across Tufin-managed firewalls, SDN, and public cloud to identify vulnerable access paths of an attack. - Vertica
Analytic database management software.
23 Improved Integrations
- Active Directory Query v2
- Added the context-output argument to the ad-search command. If the argument is set to no, the command will not output results.
- Improved functionality of the size-limit argument in the ad-search command.
- ArcSight ESM v2
Added an integration instance parameter that limits the number of incidents that are fetched each time. - Azure Compute
Fixed an issue with the azure-vm-create-instance command. - Palo Alto AutoFocus
- Fixed an issue with entry tables.
- Improved handling of HTTP errors.
- Centreon
Fixed proxy logic. - Cisco Umbrella Investigate
Added a threshold parameter to the integration instance configuration, which can override the default malicious score. - CrowdStrike Falcon Sandbox
Improved how URLs are submitted to CrowdStrike. - Cyber Triage
Added support for Cyber Triage 2.6. - DUO Admin
Renamed the 1_minutes_ago argument to 1_minute_ago. - McAfee ESM-v10
- Improved how incidents are fetched.
- Added support for ESM timezone.
- The esm-get-cases-list command now supports filtering by time range.
- Added the time format parameter.
- Endgame
Improved descriptions for the endgame-deploy argument. - HashiCorp Vault
- Improved integration test error messages.
- Fixed several issues with fetching credentials.
- The list-secrets command now supports KV1 engines.
- LogRhythm
Added several outputs and updated context. - Mail Sender (New)
- Improved error handling and messaging.
- Added the FQDN parameter to the integration instance configuration.
- McAfee Advanced Threat Defense
Improved error messages for incorrect username, incorrect password, and incorrect header. - Palo Alto Minemeld
- Added validation of deleting indictors from miners of type localDB.
- Added default values to the threat intel commands.
- Palo Alto Networks Cortex
Implemented OAuth2 authentication. - Palo Alto Firewall and Panorama
- Added the panorama-get-pcap and panorama-list-pcaps commands.
- Improved error messages, handling of invalid inputs, catch move-rule errors and display them as message.
- Server Message Block (SMB)
- Added the smb-upload command.
- Added option to print out the contents of a file instead of downloading it.
- urlscan.io
- Add RediredctedURLs and EffectiveURL data from the !url command to context.
- Added the threshold parameter to the integration instance configuration.
- VirusTotal - Private API
- The vt-private-get-url-report command now supports multiple URLs.
- Fixed an issue with the API.
- Added context for the get-url, file, and domain-report commands.
- Fixed DBot score in the ip-report command.
- Added the Preferred Vendors List and Preferred Vendors Threshold parameters, which help determine if files and URLs are malicious.
- Zscaler
Fixed an issue with the rate limit error. Now several requests in short interval will produce a retry in case of failure.
Scripts
New Script
- FindSimilarIncidents
Find similar incidents by common incident keys, labels, custom fields, or context keys.
We recommend using incident keys if possible, for example: "type" for the same incident type.
For performance reasons, we recommend avoid using context keys if possible, for example, if the value also appears in the label key, use "label".
7 Improved Scripts
- CheckDockerImageAvailable
Checks if a Docker image is accessible for pull commands. - CommonServerPython
Added proxy handling method. - FilterByList
Updated the context when the list is empty. - IsMaliciousIndicatorFound
Fix to only depend on DBotScore.Score. - ReadFile
Fixing unicode parsing error. - ReadPDFFile
Improved the error message when the script fails on reading encrypted files. - StixParser
Added support for STIX2.0.
Playbooks
2 Improved Playbooks
- Extract Indicators From File - Generic
Improved the Is there a PDF file task, which checks if file.type and file.info contains pdf. - Process Email - Generic
Improved detection of attachments that are emails.
Reports
12 Improved Reports
- Critical and High incidents
Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field. - Daily incidents
Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field. - Critical and High incidents
Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field. - Daily incidents
Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field. - Investigation Summary
Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field. - Open Incidents
Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field. - Investigation Summary
Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field. - Last 24 hours incidents
Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field. - Last 30 days incidents
Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field. - Last 7 days incidents
Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field. - Open Incidents
Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field. - Unknown severity incidents
Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field.
Widgets
Improved Widget
- Mentions
Only unread messages are now displayed.
Incident Layouts
4 Improved Incident Layouts
- Access - Summary
Applied incident source fields. - Malware - Summary
Applied incident source fields. - Phishing - Summary
Removed 'Email Body HTML' from default Phishing incident type summary layout. - Vulnerability - Summary
Applied incident source fields.