Demisto Content Release Notes for version 20.3.4 (45989)
Published on 30 March 2020
Integrations
7 New Integrations
- Cymulate
Multi-Vector Cyber Attack, Breach and Attack Simulation. - Silverfort
Use the Silverfort integration to get and update Silverfort risk severity. - Generic SQL
Use the Generic SQL integration to run SQL queries on the following databases: MySQL, PostgreSQL, Microsoft SQL Server, and Oracle. - Microsoft Defender Advanced Threat Protection
Use the Microsoft Defender Advanced Threat Protection (ATP) for preventative protection, post-breach detection, automated investigation, and response. - Cortex Data Lake
Palo Alto Networks Cortex Data Lake provides cloud-based, centralized log storage and aggregation for your on-premise, virtual (private cloud and public cloud) firewalls, for Prisma Access, and for cloud-delivered services such as Cortex XDR. - Fidelis EDR
Use the Fidelis Endpoint integration for advanced endpoint detection and response (EDR) across Windows, Mac, and Linux operating systems for faster threat remediation. - Tanium Threat Response
Use the Tanium Threat Response integration to manage endpoints processes, evidence, alerts, files, snapshots, and connections.
15 Improved Integrations
- Symantec Managed Security Services
Fixed an issue where fetch-incidents failed on data containing special characters. - AWS - EC2
- Improved handling of error messages.
- Updated the result returned when the command is an empty list.
- illuminate
Fixed an issue where indicators with no benign data showed as malicious. - Microsoft Teams
Added the microsoft-teams-ring-user command. - Active Directory Query v2
Fixed the User Account Control translation value. - Slack v2
Fixed a bug where messages were not sent to a channel if it was the dedicated channel for notifications. - SplunkPy
- Added the Replace with Underscore in Incident Fields parameter key, which replaces problematic characters (e.g., ".") with underscores ("_") in context keys.
- Added the First fetch timestamp parameter, which indicates the date and time from which incidents should be fetched.
- Fixed an issue where the splunk-search command presented the table headers in alphabetical order instead of the query order.
- Expanse
- Shortened the period of time that tokens are considered valid, to avoid authorization errors.
- Fixed an issue related to the ip command where an error is generated if the API returns a partial response.
- Added friendly values for various empty fields returned by the domain command.
- Palo Alto Networks AutoFocus v2
- Fixed an issue where get_search_results mistakenly returns "no results".
- Added the SessionStart context output to the following commands.
- autofocus-search-samples
- autofocus-search-Sessions
- autofocus-top-tags-search
- Microsoft Graph Mail
- Fixed an issue where the listing emails were not comparing the mail ID.
- Added 4 commands. These commands require additional permissions. See the Detailed Description for more information.
- msgraph-mail-create-draft
- msgraph-mail-send-draft
- msgraph-mail-reply-ro
- send-mail
- Added the ability to fetch mails as incidents.
- Rasterize
Increased the default value for rasterize image width to 1024px. - Okta
Fixed a typo in the DisplayName context path in the okta-search command. - Lockpath KeyLight v2
Fixed the Fetch incidents raw data to match the data and format of the kl-get-records data command. - Fidelis Elevate Network
Added the following commands.- fidelis-get-alert-session-data - Gets the session data of an alert.
- fidelis-get-alert-decoding-path - Gets the decoding data of an alert.
- fidelis-add-alert-comment - Adds a comment to an alert.
- fidelis-get-alert-execution-forensics - Gets the execution forensic data of an alert.
- fidelis-update-alert-status - Assigns a status to an alert (False Positive, Not Interesting, Interesting and Actionable).
- fidelis-close-alert - Closes an alert.
- fidelis-assign-user-to-alert - Assigns a user to an alert.
- fidelis-get-alert-forensic-text - Gets the forensic text of an alert.
- fidelis-alert-execution-forensics-submission - Submit an alert with an executable file for execution forensics.
- fidelis-manage-alert-label - Adds, removes, or changes an alert label.
- Tanium v2
- Added support for question text with parameters instead of using the parameters argument in the tn-ask-question command.
- Fixed an issue where the tn-get-question-result command returned a list in a single-column result.
Deprecated Integrations
- Palo Alto Networks Cortex
Deprecated. Use the Cortex Data Lake integration instead. - Windows Defender Advanced Threat Protection
Deprecated. Use the Microsoft Defender Advanced Threat Protection integration instead.
Scripts
2 New Scripts
- ReplaceMatchGroup
Returns a string with all matches of a regex pattern groups replaced by a replacement. - Base64Decode
Decodes an input in Base64 format.
4 Improved Scripts
- ExtractFQDNFromUrlAndEmail
Fixed an issue with the ATP link regex. - ExtractDomainFromUrlAndEmail
Fixed an issue with the ATP link regex. - UnEscapeURLs
- Fixed an issue with unescaped 'https' URLs.
- Fixed an issue with the ATP link regex.
- FindSimilarIncidents
Deprecated the following arguments, use the similarIncidentFields command instead.- similarCustomFields
- similarIncidentKeys
Playbooks
11 New Playbooks
- Tanium Threat Response - Create Connection
Creates a connection to a remote destination from Tanium. - Cortex XDR - Isolate Endpoint
Accepts an XDR endpoint ID and isolates it using the Palo Alto Networks Cortex XDR - Investigation and Response integration. - Dedup - Generic v2
Identifies duplicate incidents using one of the supported methods. - Brute Force Investigation - Generic - SANS
Investigates a "Brute Force" incident by gathering user and IP information and calculating the incident severity based on the gathered information and information received from the user. It then performs remediation.
Disclaimer: This playbook does not ensure compliance with SANS regulations. - Brute Force Investigation - Generic
Investigates a "Brute Force" incident by gathering user and IP information, calculating the incident severity based on the gathered information and information received from the user, and performs remediation. - Prisma Cloud Remediation - GCP Compute Engine Misconfiguration
Remediates Prisma Cloud GCP Compute Engine alerts. It calls sub-playbooks that perform the actual remediation steps. - Prisma Cloud Remediation - GCP Compute Engine Instance Misconfiguration
Remediates Prisma Cloud GCP Compute Engine VM Instance alerts. - Silverfort Update Risk for Domain Admins Incidents
Gets an incident related to an account. If it is a domain admin, updates Silverfort risk. - Microsoft Defender Advanced Threat Protection Get Machine Action Status
This playbook uses generic polling to get machine action information. - Tanium Threat Response - Request File Download
Requests file download from Tanium. - Silverfort Disable High Risk Account
This playbook gets the user's risk from Silverfort DB. If the risk is medium or higher, the user will be blocked and an alert will be sent.
8 Improved Playbooks
- Palo Alto Networks - Malware Remediation
Added the Cortex XDR - Isolate Endpoint sub-playbook. - Block URL - Generic
Added additional playbook inputs. - Detonate File - FireEye AX
Added support for file types that were previously missing. - Impossible Traveler
Fixed an issue with sending an email to the manager of the user. - Isolate Endpoint - Generic
Added the Cortex XDR - Isolate Endpoint sub-playbook. - Block Indicators - Generic v2
Added additional playbook inputs. - Employee Offboarding - Gather User Information
Improved error handling when the user's manager is not found. - Calculate Severity - Critical Assets v2
Fixed an issue that caused the playbook to fail when certain inputs were missing.
Deprecated Playbook
- Failed Login Playbook - Slack v2
Deprecated. Use the Slack - General Failed Logins v2.1 playbook instead.
Incident Fields
12 New Incident Fields
- Login Attempt Count
- userAccountControl
- Dest OS
- Successful Login
- SANS Stage
- Dest Hostname
- User Disabled Status
- Src Hostname
- sAMAccountName
- Account Groups
- Password Expiration Status
- MAC Address
Layouts
2 New Layouts
- Cymulate Immediate Threats - Summary
- Brute Force - Summary
Added a layout for the Brute Force incident type. (Available from Demisto 5.0).
Improved Layouts
- domainRep2 - Indicator Details
- Added the domain2 indicator layout.
- Added the indicator field Aggregated Reliability, which is the aggregated score of the feed.
Cortex XSOAR 5.5 Release
Integrations
2 New Integrations
- JSON Feed
Fetches indicators from a JSON feed. - Syslog Sender
Use the Syslog Sender integration to send messages and mirror incident War Room entries to Syslog.
6 Improved Integrations
- AutoFocus Feed
Changed the default indicator reputation to Bad. - Export Indicators Service
- Added support for the following inline URL parameters.
- t - The type indicated in the mwg format.
- sp - Whether to strip ports of URLs in the panosurl format.
- di - Whether to drop invalid URLs in the panosurl format.
- cd - The default category in the proxysg format.
- ca - The categories to show in the proxysg format.
- tr - Whether to collapse IPs to ranges or CIDRs.
- Added support for "McAfee Web Gateway", "PAN-OS URL" and "Symantec ProxySG" output formats.
- Fixed an issue where "json", "json-seq" and "csv" formats did not match the original Minemeld formats.
- Added support for "XSOAR json", "XSOAR json-seq" and "XSOAR csv" output formats.
- Added a feature where "csv" and "XSOAR csv" formats now download a .csv file with the indicator information.
- The "json-seq" and "XSOAR json-seq" functions now download a file with indicator information as a JSON sequence.
- Added support for IP ranges and CIDR collapse.
- Added support for the following inline URL parameters.
- Bambenek Consulting Feed
- Renamed the Sub-Feeds parameter to Services in the instance configuration.
- Added 5 services:.
- C2 All Indicator Feed.
- High-Confidence C2 All Indicator Feed.
- DGA Domain Feed.
- High-Confidence DGA Domain Feed.
- Sinkhole Feed feeds.
- Services are now represented by their names instead of their URL addresses.
- TAXII Server
Improved the test module functionality. - TAXII Feed
You can now leave the collection parameter empty to receive the list of available collections. - Palo Alto Networks PAN-OS EDL Service
- Improved the test module functionality.
- Added support for IP collapse to ranges and CIDRs.
- Renamed the Sub-Feeds parameter to Services in the instance configuration for the following feeds:
- Cloudflare Feed
- AWS Feed
- abuse.ch SSL Blacklist Feed
- Blocklist_de Feed
- Recorded Future RiskList Feed
- Spamhaus Feed
- Cloudflare Feed
- AWS Feed
- Recorded Future RiskList Feed
- Spamhaus Feed
Scripts
2 New Scripts
- ThreatIntelManagementGetIncidentsPerFeed
Gets the total number of incidents per OOTB feed. - ExtractDomainAndFQDNFromUrlAndEmail
Extracts domains and FQDNs from URLs and emails.
Playbooks
28 New Playbooks
- TIM - Review Indicators Manually
This playbook helps analysts manage the manual process of reviewing indicators. The playbook indicator query is set to search for indicators that have the 'pending review' tag. The playbook's layout displays all of the related indicators in the summary page. While reviewing the indicators, the analyst can go to the summary page and tag the indicators accordingly with tags 'such as, 'approved_black', 'approved_white', etc. Once the analyst completes their review, the playbook can optionally send an email with a list of changes done by the analyst which haven't been approved. Once complete, the playbook removes the 'pending review' tag from the indicators. - TIM - ArcSight Add Domain Indicators
This playbook queries indicators based on a predefined query or results from a parent playbook and adds the resulting indicators to an ArcSight Active List. The Active List-ID should also be defined in the playbook inputs, as well as the field name in the Active list to add to. - TIM - Process Indicators Against Approved Hash List
This playbook checks if file hash indicators exist in a Cortex XSOAR list. If the indicators exist in the list, they are tagged as approved_hash. - TIM - Process Indicators Against Business Partners Domains List
This playbook processes indicators to check if they exist in a Cortex XSOAR list containing the business partner domains, and tags the indicators accordingly. - TIM - QRadar Add IP Indicators
This playbook queries indicators based on a pre-defined query or results from a parent playbook and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs. - TIM - Add IP Indicators To SIEM
This playbook receives indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to your SIEM. - TIM - Run Enrichment For Hash Indicators
This playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators. - TIM - ArcSight Add IP Indicators
This playbook receives indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to SIEM. - TIM - Process Indicators - Fully Automated
This playbook tags indicators ingested from high reliability feeds. The playbook is triggered by a Cortex XSOAR job. The indicators are tagged as approved_white, approved_black, approved_watchlist. The tagged indicators will be ready for consumption for 3rd party systems such as SIEM, EDR, and so on. - TIM - Process Indicators Against Organizations External IP List
This playbook processes indicators to check if they exist in a Cortex XSOAR list containing the organizational External IP addresses, and tags the indicators accordingly. - TIM - Run Enrichment For Url Indicators
This playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators. - TIM - QRadar Add Url Indicators
This playbook queries indicators based on a pre-defined query or the results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs. - TIM - Process Indicators Against Business Partners IP List
This playbook processes indicators to check if they exist in a Cortex XSOAR list containing business partner IP addresses, and tags the indicators accordingly. - TIM - Run Enrichment For Domain Indicators
This playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators. - TIM - Run Enrichment For All Indicator Types
This playbook performs enrichment on indicators based on playbook query, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators. - TIM - Add Domain Indicators To SIEM
This playbook receives indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to the SIEM. - TIM - QRadar Add Domain Indicators
This playbook queries indicators based on a pre-defined query or results from a parent playbook and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs. - TIM - Add All Indicator Types To SIEM
This playbook runs sub-playbooks that send indicators of all types to your SIEM. - TIM - Run Enrichment For IP Indicators
This playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators. - TIM - Add Bad Hash Indicators To SIEM
This playbook receives file-hash indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to your SIEM. - TIM - Add URL Indicators To SIEM
This playbook receives URL indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to your SIEM. - TIM - Indicator Auto Processing
This playbook uses several sub playbooks to process and tag indicators, which is used to identify indicators that shouldn't be blacklisted. For example, IP indicators that belong to business partners or important hashes we wish to not process. - TIM - Process File Indicators With File Hash Type
This playbook processes file indicator by tagging them with the relevant file hash type tag, such as Sha256, Sha1, and Md5. - TIM - Process Indicators Against Business Partners URL List
This playbook processes indicators to check if they exist in a Cortex XSOAR list containing business partner URLs, and tags the indicators accordingly. To enable the playbook, provide a Cortex XSOAR list name containing business partner URLs. - TIM - Process Indicators - Manual Review
This playbook is triggered by a job and tags indicators ingested by feeds which require manual approval. The playbook optionally concludes with creating a new incident that includes all of the indicators that the analyst must review. - TIM - QRadar Add Bad Hash Indicators
This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs. - TIM - ArcSight Add Bad Hash Indicators
This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to an ArcSight Active List. The Active List-ID should be defined in the playbook inputs, as well as the field name in the Active list to which to add the indicators. - TIM - ArcSight Add URL Indicators
This playbook queries indicators based on a pre-defined query or results from a parent playbook and adds the resulting indicators to an ArcSight. Active List. The Active List-ID should also be defined in the playbook inputs as well as the field name in the Active list to add to.
Layouts
New Layout
- Review Indicators Manually - Summary
New layout for the Review Indicators Manually type.
10 Improved Layouts
- domainRep - Indicator Details
- Changed the domain ID to the new domain indicator ID.
- Added the indicator field Aggregated Reliability, which is the aggregated score of the feed and added custom details and Extended details sections to the following layouts:
- accountRep - Indicator Details
- emailRep - Indicator Details
- hostRep - Indicator Details
- unifiedFileRep - Indicator Details
- cveRep - Indicator Details
- registryKey - Indicator Details
- ipRep - Indicator Details
- urlRep - Indicator Details
- domainRep - Indicator Details