github demisto/content 19.4.2
Demisto Content version 19.4.2 (22301)
on GitHub

latest releases: 22.2.0, 22.1.0, 21.12.1...
5 years ago

Demisto Content Release Notes for version 19.4.2 (22301)

Published on 30 April 2019

Integrations

10 New Integrations

  • ANY.RUN
    ANY.RUN is a cloud-based sandbox with interactive access.
  • Carbon Black Enterprise Protection V2
    Carbon Black Enterprise Protection is a next-generation endpoint threat prevention solution to deliver a portfolio of protection policies, real-time visibility across environments, and comprehensive compliance rule sets in a single platform.
  • Cherwell
    Cherwell is a cloud-based IT service management solution.
  • Google BigQuery
    Google BigQuery is a data warehouse for querying and analyzing large databases.
  • Microsoft Graph Mail
    Microsoft Graph lets your app get authorized access to a user's Outlook mail data in a personal or organization account.
  • Microsoft Graph User
    Unified gateway to security insights - all from a unified Microsoft Graph User API.
  • OnboardingIntegration
    Creates mock email incidents using one of two randomly selected HTML templates. Textual content is randomly generated and defined to include some text (100 random words) and the following data (at least 5 of each data type): IP addresses, URLs, SHA-1 hashes, SHA-256 hashes, MD5 hashes, email addresses, domain names.
  • Symantec Management Center
    Symantec Management Center provides a unified management environment for the Symantec Security Platform portfolio of products.
  • FortiSIEM
    Search and update FortiSIEM events, and manage resource lists.
  • OPSWAT-Metadefender v2
    OPSWAT-Metadefender is a multi-scanning engine that uses 30+ anti-malware engines to scan files for threats.

17 Improved Integrations

  • urlscan.io
    Added support for the urlscan-get-http-transactions script.
  • ServiceNow
    Added an option to select the timestamp field to filter by when fetching incidents. Enforcement of the fetch incidents limit and last run.
  • CounterTack
    Added two commands.
    • countertack-search-endpoints
    • countertack-search-behaviors
  • Gmail
    Added two commands.
    • gmail-list-filters
    • gmail-remove-filter commands
  • Fidelis Elevate Network
    Fixed the ioc filter in the fidelis-list-alerts command.
  • Atlassian Jira v2
    Improved handling of IssueTypeName and issueJson in the jira-create-issue command.
  • PagerDuty v2
    Added two commands.
    • PagerDuty-get-incident-data
    • PagerDuty-get-service-keys
  • Anomali ThreatStream
    Improved handling of partial responses from Anomali ThreatStream.
  • CrowdStrike Falcon Intel
    Fixed how dates are parsed in the cs-report command.
  • Intezer
    Several improvements to the file command.
    • Added the sha256 argument.
    • Invalid hashes are now regarded as a warning.
  • Palo Alto Networks Magnifier
    Fixed the integration name and logo.
  • Mail Sender (New)
    Improved error messages.
  • Palo Alto Networks Minemeld
    Fixed the integration display name.
  • Palo Alto Networks PAN-OS
    Added eight commands.
    • panorama-list-edl
    • panorama-get-edl
    • panorama-create-edl
    • panorama-edit-edl
    • panorama-delete-edl
    • panorama-refresh-edl
    • panorama-register-ip-tag
    • panorama-unregister-ip-tag
  • VirusTotal
    Added the fullResponseGlobal parameter. The parameter determines whether to return all results, which can number in the thousands. If true, returns all results and overrides the fullResponse and long arguments (if they are set to "false") in a command. If false, the fullResponse and long arguments in the command determines how results are returned.
  • Palo Alto Networks WildFire
    • Improved the file command.
      • Added the md5 and sha256 arguments.
      • Invalid hashes are now regarded as a warning.
    • Improved the wildfire-report command.
      • Added the sha256 argument.
      • Deprecated the hash argument.
    • Added the wildfire-get-sample command.
  • Zscaler
    Added the zscaler-sandbox-report command.

Deprecated

  • OPSWAT-Metadefender (Deprecated)
    Deprecated. Use the OPSWAT-Metadefender v2 integration instead.

Scripts

11 New Scripts

  • CherwellCreateIncident
    A sample script that creates an incident in Cherwell. The script wraps the cherwell-create-business-object command in the Cherwell integration.
  • CherwellGetIncident
    A sample script that retrieves an incident from Cherwell. The script wraps the cherwell-get-business-object command of the Cherwell integration.
  • CherwellIncidentOwnTask
    A sample script that links an incident to a task in Cherwell. The script wraps the cherwell-link-business-object command of the Cherwell integration.
  • CherwellIncidentUnlinkTask
    A sample script that unlinks a task from an incident in Cherwell. The script wraps the cherwell-unlink-business-object command of the Cherwell integration.
  • CherwellQueryIncidents
    A sample script that queries incidents from Cherwell. The script wraps the cherwell-query-business-object command of the Cherwell integration.
  • CherwellUpdateIncident
    A sample script that updates an incident in Cherwell. The script wraps the cherwell-update-business-object command of the Cherwell integration.
  • DBotPredictPhishingWords
    Predict text label using a pre-trained machine learning phishing model, and get the most important words used in the classification decision.
  • FileToBase64List
    Encode a file as base64 and store it in a Demisto list.
  • DemistoLeaveAllInvestigations
    Removes a user from all investigations of which they are involved in (clears the incidents in the left pane). Incidents that the user owns will remain in the left pane. Requires Demisto REST API integration to be configured for the server.
  • OnboardingCleanup
    Cleans up the incidents and indicators created by the OnboardingIntegration.
  • UrlscanGetHttpTransactions
    Provides the functionality to get the HTTP transactions made for a given URL using the UrlScan integration. To properly use this script, use it inside a playbook, and select to run it without a worker. This require less system resources in the polling action. In the playbook task that executes this script, go to the Advanced section and select the Run without a worker checkbox.

12 Improved Scripts

  • CheckDockerImageAvailable
    Improved the script to work with older demisto/python images.
  • ParseEmailFiles
    • Improved email file type detection.
    • Fixed an issue when EML files have special characters.
  • ADGetUser
    Enabled script execution with Active Directory Query instances only.
  • CommonServerPython
    Added the list type to raw_response in the raw_outputs command.
  • ExtractIndicatorsFromWordFile
    The automation executes as expected when the entry is a single object.
  • FetchFromInstance
    Improved script execution.
  • GenericPollingScheduledTask
    Added an option to pass CSV arguments and values to pollingCommandArgName.
  • ReadPDFFile
    Added an error when reading image files fails.
  • RunPollingCommand
    Added an option to pass CSV arguments and values to pollingCommandArgName.
  • ScheduleGenericPolling
    Added an option to pass CSV arguments and values to pollingCommandArgName.
  • UserEnrichAD
    Updated a dependency for the activedir brand.
  • IsIPInRanges
    • Removed the condition tag.
    • Improved description and of IP range input.

Playbooks

16 New Playbooks

  • Account Enrichment - Generic v2
    • Reduced indicator duplication.
    • Improved task names, descriptions, input selectors, and auto-extract settings.
    • The new version does not provide reputation.
  • Detonate File - ANYRUN
    Detonates one or more files using the ANY.RUN sandbox integration. Returns relevant reports to the War Room, and file reputations to the context data. All file types are supported.
  • Detonate File From URL - ANYRUN
    Detonates one or more remote files using the ANY.RUN sandbox integration. Returns relevant reports to the War Room, and file reputations to the context data. This type of analysis works only for direct download links.
  • Detonate URL - ANYRUN
    Detonates one or more URLs using the ANY.RUN sandbox integration. Returns relevant reports to the War Room, and URL reputations to the context data.
  • Domain Enrichment - Generic v2
    • Reduced indicator duplication.
    • Improved task names, descriptions, and auto-extract settings.
    • The new version does not provide reputation.
  • Email Address Enrichment - Generic v2
    • Reduced indicator duplication.
    • Improved playbook performance and execution.
    • The new version does not provide reputation.
  • Endpoint Enrichment - Generic v2
    • Reduced indicator duplication.
    • Improved task names and descriptions, and auto-extract settings.
    • Improved playbook performance and execution, and DT selector implementation.
    • Removed a deprecated SentinelOne integration.
  • Entity Enrichment - Generic v2
    Improved playbook and sub-playbook performance and execution.
  • Entity Enrichment - Phishing v2
    Customized for generic phishing investigations to avoid enrichment of irrelevant entities.
  • File Enrichment - Generic v2
    • Reduced indicator duplication.
    • Removed redundant sub-playbooks.
    • Simplified playbook structure and conditions.
    • The new version does not provide reputation.
  • IP Enrichment - Generic v2
    • Added two separate sub-playbooks; one for internal IPs and one for external IPs.
    • The new version does not provide reputation.
  • IP Enrichment - External - Generic v2
    • Added a new generic playbook for external IP enrichment
    • The new playbook does not provide reputation.
  • IP Enrichment - Internal - Generic v2
    • Added a new generic playbook for internal IP enrichment
    • The new playbook does not provide reputation.
  • PhishingDemo-Onboarding
    This playbook is part of the on-boarding experience, and focuses on phishing scenarios. To use this playbook, you'll need to enable the on-boarding integration and configure incidents of type Phishing. For more information, refer to the on-boarding walkthroughs in the help section.
  • Phishing Investigation - Generic v2
    Improved entity enrichment to avoid enrichment of irrelevant entities.
  • URL Enrichment - Generic v2
    • Reduced indicator duplication.
    • Removed reputation commands.
    • Simplified playbook structure and implementation.
    • The new version does not provide reputation.

5 Improved Playbooks

  • Detonate File - Generic
    Added the ANYRUN File Detonation playbook.
  • Detonate URL - Generic
    Added the ANYRUN URL Detonation playbook.
  • Email Address Enrichment - Generic
    Adjusted version.
  • GenericPolling
    Added support for CSV arguments and values for PollingCommandArgName.
  • Process Email - Generic
    SetIncident now retrieves data from the correct context fields.

Incident Layouts

Improved Incident Layout

  • Phishing - Summary
    Updated phishing incident type layout.

Classification & Mapping

New Classification & Mapping

  • OnboardingIntegration
    Mapping to phishing incidents.
Check out latest releases or
releases around demisto/content 19.4.2

Don't miss a new content release

NewReleases is sending notifications on new releases.

Get notifications