Demisto Content Release Notes for version 19.4.2 (22301)
Published on 30 April 2019
Integrations
10 New Integrations
- ANY.RUN
ANY.RUN is a cloud-based sandbox with interactive access. - Carbon Black Enterprise Protection V2
Carbon Black Enterprise Protection is a next-generation endpoint threat prevention solution to deliver a portfolio of protection policies, real-time visibility across environments, and comprehensive compliance rule sets in a single platform. - Cherwell
Cherwell is a cloud-based IT service management solution. - Google BigQuery
Google BigQuery is a data warehouse for querying and analyzing large databases. - Microsoft Graph Mail
Microsoft Graph lets your app get authorized access to a user's Outlook mail data in a personal or organization account. - Microsoft Graph User
Unified gateway to security insights - all from a unified Microsoft Graph User API. - OnboardingIntegration
Creates mock email incidents using one of two randomly selected HTML templates. Textual content is randomly generated and defined to include some text (100 random words) and the following data (at least 5 of each data type): IP addresses, URLs, SHA-1 hashes, SHA-256 hashes, MD5 hashes, email addresses, domain names. - Symantec Management Center
Symantec Management Center provides a unified management environment for the Symantec Security Platform portfolio of products. - FortiSIEM
Search and update FortiSIEM events, and manage resource lists. - OPSWAT-Metadefender v2
OPSWAT-Metadefender is a multi-scanning engine that uses 30+ anti-malware engines to scan files for threats.
17 Improved Integrations
- urlscan.io
Added support for the urlscan-get-http-transactions script. - ServiceNow
Added an option to select the timestamp field to filter by when fetching incidents. Enforcement of the fetch incidents limit and last run. - CounterTack
Added two commands.- countertack-search-endpoints
- countertack-search-behaviors
- Gmail
Added two commands.- gmail-list-filters
- gmail-remove-filter commands
- Fidelis Elevate Network
Fixed the ioc filter in the fidelis-list-alerts command. - Atlassian Jira v2
Improved handling of IssueTypeName and issueJson in the jira-create-issue command. - PagerDuty v2
Added two commands.- PagerDuty-get-incident-data
- PagerDuty-get-service-keys
- Anomali ThreatStream
Improved handling of partial responses from Anomali ThreatStream. - CrowdStrike Falcon Intel
Fixed how dates are parsed in the cs-report command. - Intezer
Several improvements to the file command.- Added the sha256 argument.
- Invalid hashes are now regarded as a warning.
- Palo Alto Networks Magnifier
Fixed the integration name and logo. - Mail Sender (New)
Improved error messages. - Palo Alto Networks Minemeld
Fixed the integration display name. - Palo Alto Networks PAN-OS
Added eight commands.- panorama-list-edl
- panorama-get-edl
- panorama-create-edl
- panorama-edit-edl
- panorama-delete-edl
- panorama-refresh-edl
- panorama-register-ip-tag
- panorama-unregister-ip-tag
- VirusTotal
Added the fullResponseGlobal parameter. The parameter determines whether to return all results, which can number in the thousands. If true, returns all results and overrides the fullResponse and long arguments (if they are set to "false") in a command. If false, the fullResponse and long arguments in the command determines how results are returned. - Palo Alto Networks WildFire
- Improved the file command.
- Added the md5 and sha256 arguments.
- Invalid hashes are now regarded as a warning.
- Improved the wildfire-report command.
- Added the sha256 argument.
- Deprecated the hash argument.
- Added the wildfire-get-sample command.
- Improved the file command.
- Zscaler
Added the zscaler-sandbox-report command.
Deprecated
- OPSWAT-Metadefender (Deprecated)
Deprecated. Use the OPSWAT-Metadefender v2 integration instead.
Scripts
11 New Scripts
- CherwellCreateIncident
A sample script that creates an incident in Cherwell. The script wraps the cherwell-create-business-object command in the Cherwell integration. - CherwellGetIncident
A sample script that retrieves an incident from Cherwell. The script wraps the cherwell-get-business-object command of the Cherwell integration. - CherwellIncidentOwnTask
A sample script that links an incident to a task in Cherwell. The script wraps the cherwell-link-business-object command of the Cherwell integration. - CherwellIncidentUnlinkTask
A sample script that unlinks a task from an incident in Cherwell. The script wraps the cherwell-unlink-business-object command of the Cherwell integration. - CherwellQueryIncidents
A sample script that queries incidents from Cherwell. The script wraps the cherwell-query-business-object command of the Cherwell integration. - CherwellUpdateIncident
A sample script that updates an incident in Cherwell. The script wraps the cherwell-update-business-object command of the Cherwell integration. - DBotPredictPhishingWords
Predict text label using a pre-trained machine learning phishing model, and get the most important words used in the classification decision. - FileToBase64List
Encode a file as base64 and store it in a Demisto list. - DemistoLeaveAllInvestigations
Removes a user from all investigations of which they are involved in (clears the incidents in the left pane). Incidents that the user owns will remain in the left pane. Requires Demisto REST API integration to be configured for the server. - OnboardingCleanup
Cleans up the incidents and indicators created by the OnboardingIntegration. - UrlscanGetHttpTransactions
Provides the functionality to get the HTTP transactions made for a given URL using the UrlScan integration. To properly use this script, use it inside a playbook, and select to run it without a worker. This require less system resources in the polling action. In the playbook task that executes this script, go to the Advanced section and select the Run without a worker checkbox.
12 Improved Scripts
- CheckDockerImageAvailable
Improved the script to work with older demisto/python images. - ParseEmailFiles
- Improved email file type detection.
- Fixed an issue when EML files have special characters.
- ADGetUser
Enabled script execution with Active Directory Query instances only. - CommonServerPython
Added the list type to raw_response in the raw_outputs command. - ExtractIndicatorsFromWordFile
The automation executes as expected when the entry is a single object. - FetchFromInstance
Improved script execution. - GenericPollingScheduledTask
Added an option to pass CSV arguments and values to pollingCommandArgName. - ReadPDFFile
Added an error when reading image files fails. - RunPollingCommand
Added an option to pass CSV arguments and values to pollingCommandArgName. - ScheduleGenericPolling
Added an option to pass CSV arguments and values to pollingCommandArgName. - UserEnrichAD
Updated a dependency for the activedir brand. - IsIPInRanges
- Removed the condition tag.
- Improved description and of IP range input.
Playbooks
16 New Playbooks
- Account Enrichment - Generic v2
- Reduced indicator duplication.
- Improved task names, descriptions, input selectors, and auto-extract settings.
- The new version does not provide reputation.
- Detonate File - ANYRUN
Detonates one or more files using the ANY.RUN sandbox integration. Returns relevant reports to the War Room, and file reputations to the context data. All file types are supported. - Detonate File From URL - ANYRUN
Detonates one or more remote files using the ANY.RUN sandbox integration. Returns relevant reports to the War Room, and file reputations to the context data. This type of analysis works only for direct download links. - Detonate URL - ANYRUN
Detonates one or more URLs using the ANY.RUN sandbox integration. Returns relevant reports to the War Room, and URL reputations to the context data. - Domain Enrichment - Generic v2
- Reduced indicator duplication.
- Improved task names, descriptions, and auto-extract settings.
- The new version does not provide reputation.
- Email Address Enrichment - Generic v2
- Reduced indicator duplication.
- Improved playbook performance and execution.
- The new version does not provide reputation.
- Endpoint Enrichment - Generic v2
- Reduced indicator duplication.
- Improved task names and descriptions, and auto-extract settings.
- Improved playbook performance and execution, and DT selector implementation.
- Removed a deprecated SentinelOne integration.
- Entity Enrichment - Generic v2
Improved playbook and sub-playbook performance and execution. - Entity Enrichment - Phishing v2
Customized for generic phishing investigations to avoid enrichment of irrelevant entities. - File Enrichment - Generic v2
- Reduced indicator duplication.
- Removed redundant sub-playbooks.
- Simplified playbook structure and conditions.
- The new version does not provide reputation.
- IP Enrichment - Generic v2
- Added two separate sub-playbooks; one for internal IPs and one for external IPs.
- The new version does not provide reputation.
- IP Enrichment - External - Generic v2
- Added a new generic playbook for external IP enrichment
- The new playbook does not provide reputation.
- IP Enrichment - Internal - Generic v2
- Added a new generic playbook for internal IP enrichment
- The new playbook does not provide reputation.
- PhishingDemo-Onboarding
This playbook is part of the on-boarding experience, and focuses on phishing scenarios. To use this playbook, you'll need to enable the on-boarding integration and configure incidents of type Phishing. For more information, refer to the on-boarding walkthroughs in the help section. - Phishing Investigation - Generic v2
Improved entity enrichment to avoid enrichment of irrelevant entities. - URL Enrichment - Generic v2
- Reduced indicator duplication.
- Removed reputation commands.
- Simplified playbook structure and implementation.
- The new version does not provide reputation.
5 Improved Playbooks
- Detonate File - Generic
Added the ANYRUN File Detonation playbook. - Detonate URL - Generic
Added the ANYRUN URL Detonation playbook. - Email Address Enrichment - Generic
Adjusted version. - GenericPolling
Added support for CSV arguments and values for PollingCommandArgName. - Process Email - Generic
SetIncident now retrieves data from the correct context fields.
Incident Layouts
Improved Incident Layout
- Phishing - Summary
Updated phishing incident type layout.
Classification & Mapping
New Classification & Mapping
- OnboardingIntegration
Mapping to phishing incidents.