demisto/content 19.9.0

Demisto Content Release Notes for version 19.9.0 (28765)

on GitHub

Demisto Content Release Notes for version 19.9.0 (28765)

Published on 03 September 2019

Integrations

2 New Integrations

• ZeroFOX
  Cloud-based SaaS to detect risks found on social media and digital channels.
• Google Cloud Storage
  Google Cloud Storage is a RESTful online file storage web service for storing and accessing data on Google Cloud Platform infrastructure.

25 Improved Integrations

• AWS - S3
  The following instance parameters now work as expected.
  • Proxy
  • Trust any certificate
• IBM QRadar
  • Fixed an issue in which the qradar-get-search-results command failed when the root of the result contained a non-ASCII character.
  • Fixed an issue in which the qradar-offense-by-id command failed if an SEC header was missing when trying to get an offense type.
• Mail Sender (New)
  Improved debug failure logging when testing the integration instance configuration.
• Cisco Umbrella Investigate
  Added several context outputs to the following commands to support Demisto 5.0.
  • domain
  • umbrella-get-whois-for-domain
• FortiGate
  Added 3 commannds.
  • fortigate-ban-ip
  • fortigate-unban-ip
  • fortigate-get-banned-ips
• EWS v2
  • Improved implementation of the ews-get-contacts command.
  • Improved security of the Exchange 365 compliance search.
  • Improved security within the Docker container.
• Palo Alto Networks Cortex XDR - Investigation and Response
  Improved the error message for cases when no query arguments are supplied for the xdr-get-incidents command.
• McAfee Advanced Threat Defense
  Improved handling of DBotScore outputs in cases of unsuccessful file detonation using the atd-file-upload command.
• Palo Alto Networks Minemeld
  Added support for non-root URL structures.
• ServiceNow
  Fixed an issue with the servicenow-upload-file command when the uploaded file is an info file.
• Censys
  • Added an error message when results are not returned. Previously, an error was returned.
  • Added proxy support.
• AWS - Lambda
  The following instance parameters now work as expected.
  • Proxy
  • Trust any certificate
• Slack v2 (Available from Demisto 5.0 *)
  • Added 6 commands.
    • close-channel (now with optional channel argument).
    • slack-create-channel
    • slack-invite-to-channel
    • slack-kick-from-channel
    • slack-rename-channel
    • slack-get-user-details
  • Added support for removing the Slack admin (API token owner) when mirroring an incident.
• Tenable.sc
  • Added the tenable-sc-get-all-scan-results command, which retrieves all scan results in Tenable SC.
  • Added the Port and Protocol fields to the Hosts output in the get-vulnerability command.
• Netskope
  The netskope-alerts command now returns full raw response data when you specify the raw-repsonse argument.
• SplunkPy
  Added the Fetch limit parameter to the instance configuration, which specifies the maximum number of results to fetch.
• Palo Alto Networks AutoFocus V2
  • Updated Palo Alto Networks AutoFocus V2 Indicators context outputs to support version 5.0.
• Symantec Endpoint Protection V2
  • Added the sep-identify-old-clients command, which identifies endpoints with a running version that is inconsistent with the target version or the desired version.
  • Added the groupName argument to the sep-endpoints-info, which enables you to specify a group for which to search.
  • Added several context outputs for the !sep-endpoints-info command:
    • Group
    • RunningVersion
    • TargetVersion
    • PatternIdx
    • OnlineStatus
    • UpdateTime
• Palo Alto Networks PAN-OS
  • Added 3 commands.
    • panorama-query-logs
    • panorama-check-logs-status
    • panorama-get-logs
  • Added the Panorama Query Logs playbook.
  • Added log-forwarding as an option for the element_to_change argument in the panorama-edit-rule command.
  • Added support for shared objects and rules in Panorama instances.
  • Added the device-group argument to all relevant commands.
• Palo Alto Networks WildFire v2
  Fixed an issue in which the wildfire-report command failed when setting the verbose argument to true.
• AWS - EC2
  • Added several arguments to the authorize_security_group_ingress command.
  • The following instance parameters now work as expected.
    • Proxy
    • Trust any certificate
• Remedy On-Demand
  Removed the trailing slash from the login URL, which caused a bad request response.
• Threat Crowd
  • Added DbotScore calculation to the following commands.
    • threat-crowd-ip
    • threat-crowd-domain
• LogRhythmRest
  • Fixed an issue in the lr-get-alarm-events command when DrillDownLogs is empty.
  • Improved handling of the lr-get-alarm-events-by-id command when there are no events for the alarm.
• Carbon Black Enterprise Response
  Added the get_related argument to the cb-get-process command. If "true", will get process siblings, parent, and children.

Scripts

5 New Scripts

• SlackAsk (Available from Demisto 5.0 *)
  Sends a message (question) either to a user (in a direct message) or to a channel. The message includes predefined reply options. The response can also close a task (might be conditional) in a playbook.
• EntryWidgetPieAlertsXDR
  Entry widget that returns a pie chart of alerts for a specified Cortex XDR incident by alert severity (low, medium, and high).
• EntryWidgetNumberUsersXDR
  Entry widget that returns the number of users that participated in a specified Cortex XDR incident.
• ShowLocationOnMap
  Show indicator geo location on map.
• EntryWidgetNumberHostsXDR
  Entry widget that returns the number of hosts in a Cortex XDR incident.

7 Improved Scripts

• XDRSyncScript
  • Deprecated the playbook_to_run argument. When an incident is updated in XDR and the script updates the incident in Demisto, by default, the playbook is rerun.
  • The next sync is now rescheduled even if the current sync fails.
• FindSimilarIncidents
  • Added support for the "\n" character in incident fields.
  • Fixed an issue where duplicate incidents were created at the same time.
  • Added support for list values in the context key value.
• SendEmailToManager
  Fixed an issue with arguments that are passed to the addEntitlement function.
• MicrosoftTeamsAsk (Available from Demisto 5.0 *)
  • Added the channel argument.
  • Improved script descriptions.
• ParseEmailFiles
  • Improved EML file type detection.
  • Added the Email.AttachmentNames output, which contains a list of the names of the email attachments.
• IdentifyAttachedEmail
  The script now detects additional email attachment types.
• CommonServerPython
  • Improved the IntegrationLogger function.
  • Added support for IPv6 addresses in the is_ip_valid command.
  • Added the get_demisto_version function, which returns the Demisto server version and build number.

Deprecated Script

• SlackAskUser (Available from Demisto 5.0 *)
  Deprecated. Use the SlackAsk script instead.

Removed Script

• IndicatorRelatedIncientBySeverity

Playbooks

5 New Playbooks

• Failed Login Playbook - Slack v2 (Available from Demisto 5.0 *)
  When there are three failed login attempts to Demisto that originate from the same user ID, a direct message is sent to the user on Slack requesting that they confirm the activity. If the reply is "no", then the incident severity is set to "high". If the reply is "yes", then another direct message is sent to the user asking if they require a password reset in AD.
• Cortex XDR Incident Sync
  Compares incidents in Palo Alto Networks Cortex XDR and Demisto, and updates the incidents appropriately. When an incident is updated in Demisto, the XDRSyncScript will update the incident in XDR. When an incident is updated in XDR, the XDRSyncScript will update the incident fields in Demisto and rerun the current playbook.
• PAN-OS DAG Configuration
  Added support for creating dynamic address groups (DAGs). You can attach DAGs and add IP addresses to a rule.
• PAN-OS EDL Setup
  Added support for configuring an external dynamic list (EDL). The playbook syncs the remote file (if it exists) to Demisto. The playbook also creates a rule and attaches the EDL to the rule.
• PAN-OS Commit Configuration
  Automatically determines the operable product (Firewall or Panorama), and commits accordingly. This playbook replaces the deprecated panorama-commit-configuration playbook.

6 Improved Playbooks

• Panorama Query Logs
  Added a playbook that handles querying logs in Palo Alto Networks PAN-OS.
• Dedup - Generic
  Added the TimeField input.
• Process Email - Generic
  The playbook now uses IdentifyAttachedEmail to detect additional email attachment types.
• ATD - Detonate File
  Improved playbook implementation by excluding "-1" TaskIds from all playbook tasks.
• Detonate URL - McAfee ATD
  Improved playbook implementation by excluding "-1" TaskIds from all playbook tasks.
• Failed Login Playbook With Slack
  Added toversion.

2 Deprecated Playbooks

• Failed Login Playbook With Slack
  Deprecated. Use the Failed Login - Slack v2 playbook instead.
• PanoramaCommitConfiguration
  This playbook is deprecated. use playbook-Pan-OS_Commit_Configuration instead to automatically determine between firewall or panorama before committing

Reports

20 Improved Reports

• Mean time to Resolve by Incident Owner (Last 2 Quarters)
  Updated the display values of the status column.
• Open Incidents
  Updated the display values of the status column.
• Daily incidents
  Updated the display values of the status column.
• Critical and High incidents
  Updated the display values of the status column.
• Last 7 days closed incidents
  Updated the display values of the status column.
• Critical and High incidents
  Updated the display values of the status column.
• Last 30 days closed incidents
  Updated the display values of the status column.
• Shift summary report
  Updated the display values of the status column.
• Daily incidents
  Updated the display values of the status column.
• Open Incidents
  Updated the display values of the status column.
• Last 7 days incidents
  Updated the display values of the status column.
• Last 24 hours incidents
  Updated the display values of the status column.
• Daily incidents
  Updated the display values of the status column.
• Unknown severity incidents
  Updated the display values of the status column.
• Last 30 days incidents
  Updated the display values of the status column.
• Investigation Summary
  Updated the display values of the status column.
• Late Incidents
  Updated the display values of the status column.
• Mean time to Resolve by Incident Type (Last 2 Quarters)
  Updated the display values of the status column.
• Last 24 hours closed incidents
  Updated the display values of the status column.
• Investigation Summary
  Updated the display values of the status column.

Incident Fields

Added several incident fields to the Cortex XDR Incident incident type. (Available from Demisto 5.0 *)

Incident Layouts

1 New Incident Layouts

• Cortex XDR Incident - Summary
  Added a layout for the Cortex XDR Incident incident type. (Available from Demisto 5.0).

4 Improved Incident Layouts

• ipRep - Indicator Details
  Added the IP indicator layout.
• unifiedFileRep - Indicator Details
  Added the unifiedFile indicator layout.
• urlRep - Indicator Details
  Added the URL indicator layout.
• Phishing - Summary
  Added a new Phishing layout. (Available from Demisto 5.0 *).

Removed Incident Layouts

• layout-indicatorsDetails-ipEscaped

Classification & Mapping

New Classification & Mapping

• Cortex XDR - IR
  Added new mapping for the Cortex XDR integration. The integration converts an incident in XDR to an incident in Demisto, with the incident type
  Cortex XDR Incident. (Available from Demisto 5.0 *).

4 Improved Classification & Mapping

• EWS v2
  Added Email HTML mapping.
• OnboardingIntegration
  Added Email HTML mapping.
• mail-listener
  Added Email HTML mapping.
• Gmail
  Added Email HTML mapping.

Reputations

Removed Reputations

• reputation-ipEscaped

* This content requires Demisto 5.0, which is available for private beta evaluation. For more information, send a message to beta@demisto.com