Demisto Content Release Notes for version 20.3.3 (44118)
Published on 17 March 2020
Integrations
6 New Integrations
- Google Vision AI
Use the Google Vision AI integration to perform image processing with the Google Vision API. - Amazon DynamoDB
Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. - RiskSense
Use the RiskSense integration for vulnerability management and prioritization to measure and control cybersecurity risk. - Code42
Use the Code42 integration to identify potential data exfiltration from insider threats while speeding investigation and response by providing fast access to file events and metadata across physical and cloud environments. - (BETA) Trend Micro Apex
Trend Micro Apex central automation to manage agents and User-Defined Suspicious Objects. - (BETA) Proofpoint Server Protection
Proofpoint email security appliance.
18 Improved Integrations
- Expanse
- Updated the Authorization header for the Events API to use the correct token.
- Added a User-Agent header to assist with diagnostics/debugging.
- Hybrid Analysis
Added URL decoding for the hybrid-analysis-quick-scan-url command. - Pentera
Fixed an issue with date parsing in the pentera-get-task-run-full-action-report command. - Qualys
Added the REF field in context mapping. - Anomali ThreatStream v2
Fixed handling of reputation commands with array input in cases where no reputation was found for a specific indicator. - FireEye HX
Fixed an issue with encoding passwords with special characters, for example: ✓. - C2sec irisk
Fixed an issue where the irisk-get-domain-issues command failed on KeyError. - Carbon Black Enterprise Response
Changed the search alerts API v1 call to the API v2 call. - AlienVault OTX v2
- Fixed an issue where the IP indicator type was incorrect.
- Fixed an issue where the URL indicator score was a string.
- VirusTotal
Fixed an issue where detections with no positive values were treated as malicious. - SplunkPy
Fixed an issue in the test command, which caused an out of memory error. - RSA NetWitness v11.1
Fixed an issue with the get-incident command when the returned sources attribute is set to "[null]". Applicable to NetWitness 11.4. - Palo Alto Networks PAN-OS
Improved handling of cases where a field value is None. - RSA NetWitness Packets and Logs
Fixed query parsing in the netwitness-query command. - BPA
Removed the PORT parameter from the configuration. This will not affect currently configured instances. - Whois
Added the domain command to enable domain enrichment. - Elasticsearch v2
Added support for API Key authentication. - RSA Archer
Fixed an issue where the following commands failed on numeric incident IDs.- archer-update-record
- archer-delete-record
- archer-upload-file
- archer-add-to-detailed-analysis
- archer-get-record
Scripts
New Script
- VerifyJSON
Verifies if the supplied JSON string is valid, and optionally verifies against a provided schema. The script utilizes Powershell's Test-JSON cmdlet.
4 Improved Scripts
- DBotTrainTextClassifierV2
Added support for training on a boolean target field. - ReadPDFFileV2
Fixed an issue with URL extraction from PDF files. - DockerHardeningCheck
Decreased the CPU check sensitivity to accommodate loaded systems. - FindSimilarIncidents
Added support for the "\" character in incident fields.
Playbooks
3 New Playbooks
- Prisma Cloud Remediation - AWS IAM User Policy Misconfiguration
Remediates the following Prisma Cloud AWS IAM User alerts.- Prisma Cloud policies remediated.
- AWS IAM user has two active Access Keys.
- Code42 Exfiltration Playbook
The Code42 Exfiltration playbook acts on Code42 Security Alerts, retrieves file event data, and allows security teams to remediate file exfiltration events by revoking access rights to cloud files or containing endpoints. - Code42 File Search
Searches for files via Code42 security events by either MD5 or SHA256 hash. The data is output to the Code42.SecurityData context.
4 Improved Playbooks
- PAN-OS EDL Setup v2
Fixed missing letter in device mode(l). - Prisma Cloud Remediation - AWS IAM Policy Misconfiguration
Added the Prisma Cloud Remediation - AWS IAM User Policy Misconfiguration sub-playbook. - Calculate Severity - Critical Assets v2
Fixed an issue that caused the Critical Assets field to be populated partially or not at all. - PAN-OS Commit Configuration
Fixed a bug where the commit failed but the playbook succeeded. Now it will fail on an unsuccessful commit or push.
Layouts
2 New Layouts
- AWS CloudTrail Misconfiguration - Summary
- Code42 Security Alert - Summary
Classification & Mapping
2 Improved Classification & Mapping
- PrismaCloud App
Added classification to the AWS CloudTrail Misconfiguration incident type. - RedLock
Added classification to the AWS CloudTrail Misconfiguration incident type.
XSOAR 5.5 Beta Release
Feeds
3 New Feeds
- AlienVault OTX TAXII Feed
Fetches indicators from AlienVault OTX using a TAXII client. - Plain Text Feed
Fetches indicators from a plain text feed. - Elasticsearch Feed
Fetches indicators stored in an Elasticsearch database.
5 Improved Feeds
- TAXII Feed
You can now use the API header and API key in the credentials fields when configuring an integration instance. - Cofense Feed
Added the DomainGlob indicator type to the feed's output, which might be applied when domains are returned. - Office 365 Feed
- Added the DomainGlob indicator type to the feed's output, which might be applied when domains are returned.
- Added mapping to new indicator fields.
- Proofpoint Feed
Added the DomainGlob indicator type to the feed's output, which might be applied when domains are returned. - Recorded Future RiskList Feed
Added the DomainGlob indicator type to the feed's output, which might be applied when domains are returned.
Integrations
2 Improved Integrations
- Export Indicators Service
- Added the offset parameter to the eis-update command.
- Added support for the following inline URL parameters.
- n - The number of indicators to fetch.
- s - The first index from which to fetch indicators.
- v - The output format for indicators.
- q - The query that defines which indicators to fetch.
- Palo Alto Networks PAN-OS EDL Service
Added integration parameter options for formatting indicator values to the expected input standards of PAN-OS.