Demisto Content Release Notes for version 20.1.0 (37812)
Published on 07 January 2020
Notice: Breaking Change
This content update renames the incident field Account to Account Name. This change affects backward compatibility if the field was already implemented in custom content artifacts.
Integrations
12 Improved Integrations
- Palo Alto Networks AutoFocus V2
Improved error handling for the reputation commands.- ip
- domain
- file
- url
- Palo Alto Networks PAN-OS
- Fixed an issue when trying to download a threat-pcap without the required arguments.
- Improved the error message when trying to download PCAPs from a Panorama instance.
- You can now specify multiple values (list) for the source, destination, and application arguments in the following commands.
- panorama-create-rule
- panorama-custom-block-rule
- panorama-edit-rule
- Added 4 commands.
- panorama-list-static-routes
- panorama-get-static-route
- panorama-add-static-route
- panorama-delete-static-route
- Fixed an issue in the panorama-list-pcaps command when there are no PCAPs in PAN-OS.
- SplunkPy
Fixed an issue with access to a non-existing key when fetching non-ES events. - Carbon Black Enterprise Response
Added the Maximum number of incidents to fetch parameter, which specifies the maximum number of incidents to create per fetch. - Cybereason
Fixed an issue where the cybereason-query-file command did not pull specific hashes. - Zendesk
Added the check_if_user_exists argument to the zendesk-add-user command, which checks if the user already exists in the system. If set to "True" and the user exists, an error is thrown. - IBM QRadar
Fixed an issue with fetch-incidents that truncated the incident name when the description included new lines (line breaks). - Gmail
- You can now run the following commands against user accounts when you have admin credentials.
- gmail-delegate-user-mailbox
- gmail-set-autoreply
- You can now run the following commands against user accounts when you have admin credentials.
- ThreatQ v2
- Added the threatq-advanced-search command, which runs an advanced indicator search.
- Added TLP values to indicator outputs.
- Google Vault
Added support for group email (in addition to accountID) for the gvault-create-hold command. - EWS Mail Sender
Fixed an issue with email subject unicode for the send-mail command. - Palo Alto Networks WildFire v2
Fixed an issue WHERE the wildfire-report command did not return outputs for non-malicious URLs.
Scripts
3 New Scripts
- ProductJoin
This script takes two lists, joined by a separator, and returns a list of strings. - DemistoVersion
Returns the Demisto server version. - DockerHardeningCheck
Checks if the Docker container running this script has been hardened according to the recommended settings. For more information, see the Docker Hardening Guide.
6 Improved Scripts
- ConvertFile
Fixed an issue where child processes were defunct after converting PDF files to HTML. - StixParser
Removed firstSeen as qualifier for STIX 2 object. - SetIfEmpty
Fixed an issue where the transformer would fail when applied to a number field. - Set
Added the stringify argument, which enables you to save numbers as strings. - RepopulateFiles
Fixed an issue in which the script took all of the last entries and not only the attachments. This resulted in reaching the page limit of 1,000 entries and causing suboptimal performance. - CommonServerPython
- Added the argToBoolean command, which accepts an input value of type string or boolean and converts it to boolean.
- Added the batch command, which accepts an iterable and specifies how many items to return, and yields batches of that size.
Playbooks
8 New Playbooks
- PAN-OS - Delete Static Routes
This playbook deletes a PAN-OS static route from the PAN-OS instance. - PAN-OS - Add Static Routes
This playbook accepts a PAN-OS static route configuration and creates it in the PAN-OS instance. - Employee Offboarding - Gather User Information
This playbook gathers user information as part of the IT - Employee Offboarding. - Employee Offboarding -Delegate
This playbook delegates user resources and permissions as part of the IT - Employee Offboarding playbook. - Employee Offboarding - Revoke Permissions
This playbook revokes user permissions as part of the IT - Employee Offboarding. - Employee Offboarding - Retain & Delete
This playbook performs retention and deletion of user information as part of the IT - Employee Offboarding playbook. - IT - Employee Offboarding
This playbook offboards company employees to maintain organizational security. - IT - Employee Offboarding - Manual
This playbook provides a manual alternative to the IT - Employee Offboarding playbook.
2 Improved Playbooks
- Convert file hash to corresponding hashes
- Fixed an issue in which converting a file hash to corresponding hashes failed.
- Streamlined playbook structure by removing set tasks.
- Active Directory - Get User Manager Details
Fixed an issue where the display name of the original user was returned in addition to the manager's display name.
Incident Fields
Replaced the Account field with the Account Name field.
Note: This will affect backward compatibility if the field was already implemented in any content artifacts.
New 20 Incident Fields
- Active Directory - Account Status
- Active Directory - Display Name
- Active Directory - Password Status
- Company Property Status
- GSuite - Device Account Status
- Google Account Status
- Google Admin Roles Status
- Google Display Name
- Google Drive Status
- Google Mail Status
- Google Password Status
- Duo Account Status
- Email Auto Reply
- Mailbox Delegation
- Employee Display Name
- Employee Email
- Employee Manager Email
- Global Directory Visibility
- Offboarding Stage
- Okta Account Status
Incident Layouts
New 2 Incident Layouts
- Employee Offboarding - Details
- Employee Offboarding - New
Improved Incident Layout
- Prisma Cloud - Summary
Replaced the Account field with the Account Name field.
Incident Types
New Incident Type
- Employee Offboarding
Classification & Mapping
2 Improved Classification & Mapping
- prismaCloud_app
Replaced the Account field with the Account Name field. - RedLock
Replaced the Account field with the Account Name field.