demisto/content 20.3.4

Demisto Content Release version 20.3.4 (45989)

on GitHub

Demisto Content Release Notes for version 20.3.4 (45989)

Published on 30 March 2020

Integrations

7 New Integrations

• Cymulate
  Multi-Vector Cyber Attack, Breach and Attack Simulation.
• Silverfort
  Use the Silverfort integration to get and update Silverfort risk severity.
• Generic SQL
  Use the Generic SQL integration to run SQL queries on the following databases: MySQL, PostgreSQL, Microsoft SQL Server, and Oracle.
• Microsoft Defender Advanced Threat Protection
  Use the Microsoft Defender Advanced Threat Protection (ATP) for preventative protection, post-breach detection, automated investigation, and response.
• Cortex Data Lake
  Palo Alto Networks Cortex Data Lake provides cloud-based, centralized log storage and aggregation for your on-premise, virtual (private cloud and public cloud) firewalls, for Prisma Access, and for cloud-delivered services such as Cortex XDR.
• Fidelis EDR
  Use the Fidelis Endpoint integration for advanced endpoint detection and response (EDR) across Windows, Mac, and Linux operating systems for faster threat remediation.
• Tanium Threat Response
  Use the Tanium Threat Response integration to manage endpoints processes, evidence, alerts, files, snapshots, and connections.

15 Improved Integrations

• Symantec Managed Security Services
  Fixed an issue where fetch-incidents failed on data containing special characters.
• AWS - EC2
  • Improved handling of error messages.
  • Updated the result returned when the command is an empty list.
• illuminate
  Fixed an issue where indicators with no benign data showed as malicious.
• Microsoft Teams
  Added the microsoft-teams-ring-user command.
• Active Directory Query v2
  Fixed the User Account Control translation value.
• Slack v2
  Fixed a bug where messages were not sent to a channel if it was the dedicated channel for notifications.
• SplunkPy
  • Added the Replace with Underscore in Incident Fields parameter key, which replaces problematic characters (e.g., ".") with underscores ("_") in context keys.
  • Added the First fetch timestamp parameter, which indicates the date and time from which incidents should be fetched.
  • Fixed an issue where the splunk-search command presented the table headers in alphabetical order instead of the query order.
• Expanse
  • Shortened the period of time that tokens are considered valid, to avoid authorization errors.
  • Fixed an issue related to the ip command where an error is generated if the API returns a partial response.
  • Added friendly values for various empty fields returned by the domain command.
• Palo Alto Networks AutoFocus v2
  • Fixed an issue where get_search_results mistakenly returns "no results".
  • Added the SessionStart context output to the following commands.
    • autofocus-search-samples
    • autofocus-search-Sessions
    • autofocus-top-tags-search
• Microsoft Graph Mail
  • Fixed an issue where the listing emails were not comparing the mail ID.
  • Added 4 commands. These commands require additional permissions. See the Detailed Description for more information.
    • msgraph-mail-create-draft
    • msgraph-mail-send-draft
    • msgraph-mail-reply-ro
    • send-mail
  • Added the ability to fetch mails as incidents.
• Rasterize
  Increased the default value for rasterize image width to 1024px.
• Okta
  Fixed a typo in the DisplayName context path in the okta-search command.
• Lockpath KeyLight v2
  Fixed the Fetch incidents raw data to match the data and format of the kl-get-records data command.
• Fidelis Elevate Network
  Added the following commands.
  • fidelis-get-alert-session-data - Gets the session data of an alert.
  • fidelis-get-alert-decoding-path - Gets the decoding data of an alert.
  • fidelis-add-alert-comment - Adds a comment to an alert.
  • fidelis-get-alert-execution-forensics - Gets the execution forensic data of an alert.
  • fidelis-update-alert-status - Assigns a status to an alert (False Positive, Not Interesting, Interesting and Actionable).
  • fidelis-close-alert - Closes an alert.
  • fidelis-assign-user-to-alert - Assigns a user to an alert.
  • fidelis-get-alert-forensic-text - Gets the forensic text of an alert.
  • fidelis-alert-execution-forensics-submission - Submit an alert with an executable file for execution forensics.
  • fidelis-manage-alert-label - Adds, removes, or changes an alert label.
• Tanium v2
  • Added support for question text with parameters instead of using the parameters argument in the tn-ask-question command.
  • Fixed an issue where the tn-get-question-result command returned a list in a single-column result.

Deprecated Integrations

• Palo Alto Networks Cortex
  Deprecated. Use the Cortex Data Lake integration instead.
• Windows Defender Advanced Threat Protection
  Deprecated. Use the Microsoft Defender Advanced Threat Protection integration instead.

Scripts

2 New Scripts

• ReplaceMatchGroup
  Returns a string with all matches of a regex pattern groups replaced by a replacement.
• Base64Decode
  Decodes an input in Base64 format.

4 Improved Scripts

• ExtractFQDNFromUrlAndEmail
  Fixed an issue with the ATP link regex.
• ExtractDomainFromUrlAndEmail
  Fixed an issue with the ATP link regex.
• UnEscapeURLs
  • Fixed an issue with unescaped 'https' URLs.
  • Fixed an issue with the ATP link regex.
• FindSimilarIncidents
  Deprecated the following arguments, use the similarIncidentFields command instead.
  • similarCustomFields
  • similarIncidentKeys

Playbooks

11 New Playbooks

• Tanium Threat Response - Create Connection
  Creates a connection to a remote destination from Tanium.
• Cortex XDR - Isolate Endpoint
  Accepts an XDR endpoint ID and isolates it using the Palo Alto Networks Cortex XDR - Investigation and Response integration.
• Dedup - Generic v2
  Identifies duplicate incidents using one of the supported methods.
• Brute Force Investigation - Generic - SANS
  Investigates a "Brute Force" incident by gathering user and IP information and calculating the incident severity based on the gathered information and information received from the user. It then performs remediation.
  Disclaimer: This playbook does not ensure compliance with SANS regulations.
• Brute Force Investigation - Generic
  Investigates a "Brute Force" incident by gathering user and IP information, calculating the incident severity based on the gathered information and information received from the user, and performs remediation.
• Prisma Cloud Remediation - GCP Compute Engine Misconfiguration
  Remediates Prisma Cloud GCP Compute Engine alerts. It calls sub-playbooks that perform the actual remediation steps.
• Prisma Cloud Remediation - GCP Compute Engine Instance Misconfiguration
  Remediates Prisma Cloud GCP Compute Engine VM Instance alerts.
• Silverfort Update Risk for Domain Admins Incidents
  Gets an incident related to an account. If it is a domain admin, updates Silverfort risk.
• Microsoft Defender Advanced Threat Protection Get Machine Action Status
  This playbook uses generic polling to get machine action information.
• Tanium Threat Response - Request File Download
  Requests file download from Tanium.
• Silverfort Disable High Risk Account
  This playbook gets the user's risk from Silverfort DB. If the risk is medium or higher, the user will be blocked and an alert will be sent.

8 Improved Playbooks

• Palo Alto Networks - Malware Remediation
  Added the Cortex XDR - Isolate Endpoint sub-playbook.
• Block URL - Generic
  Added additional playbook inputs.
• Detonate File - FireEye AX
  Added support for file types that were previously missing.
• Impossible Traveler
  Fixed an issue with sending an email to the manager of the user.
• Isolate Endpoint - Generic
  Added the Cortex XDR - Isolate Endpoint sub-playbook.
• Block Indicators - Generic v2
  Added additional playbook inputs.
• Employee Offboarding - Gather User Information
  Improved error handling when the user's manager is not found.
• Calculate Severity - Critical Assets v2
  Fixed an issue that caused the playbook to fail when certain inputs were missing.

Deprecated Playbook

• Failed Login Playbook - Slack v2
  Deprecated. Use the Slack - General Failed Logins v2.1 playbook instead.

Incident Fields

12 New Incident Fields

• Login Attempt Count
• userAccountControl
• Dest OS
• Successful Login
• SANS Stage
• Dest Hostname
• User Disabled Status
• Src Hostname
• sAMAccountName
• Account Groups
• Password Expiration Status
• MAC Address

Layouts

2 New Layouts

• Cymulate Immediate Threats - Summary
• Brute Force - Summary
  Added a layout for the Brute Force incident type. (Available from Demisto 5.0).

Improved Layouts

• domainRep2 - Indicator Details
  • Added the domain2 indicator layout.
  • Added the indicator field Aggregated Reliability, which is the aggregated score of the feed.

Cortex XSOAR 5.5 Release

Integrations

2 New Integrations

• JSON Feed
  Fetches indicators from a JSON feed.
• Syslog Sender
  Use the Syslog Sender integration to send messages and mirror incident War Room entries to Syslog.

6 Improved Integrations

• AutoFocus Feed
  Changed the default indicator reputation to Bad.
• Export Indicators Service
  • Added support for the following inline URL parameters.
    • t - The type indicated in the mwg format.
    • sp - Whether to strip ports of URLs in the panosurl format.
    • di - Whether to drop invalid URLs in the panosurl format.
    • cd - The default category in the proxysg format.
    • ca - The categories to show in the proxysg format.
    • tr - Whether to collapse IPs to ranges or CIDRs.
  • Added support for "McAfee Web Gateway", "PAN-OS URL" and "Symantec ProxySG" output formats.
  • Fixed an issue where "json", "json-seq" and "csv" formats did not match the original Minemeld formats.
  • Added support for "XSOAR json", "XSOAR json-seq" and "XSOAR csv" output formats.
  • Added a feature where "csv" and "XSOAR csv" formats now download a .csv file with the indicator information.
  • The "json-seq" and "XSOAR json-seq" functions now download a file with indicator information as a JSON sequence.
  • Added support for IP ranges and CIDR collapse.
• Bambenek Consulting Feed
  • Renamed the Sub-Feeds parameter to Services in the instance configuration.
  • Added 5 services:.
    • C2 All Indicator Feed.
    • High-Confidence C2 All Indicator Feed.
    • DGA Domain Feed.
    • High-Confidence DGA Domain Feed.
    • Sinkhole Feed feeds.
  • Services are now represented by their names instead of their URL addresses.
• TAXII Server
  Improved the test module functionality.
• TAXII Feed
  You can now leave the collection parameter empty to receive the list of available collections.
• Palo Alto Networks PAN-OS EDL Service
  • Improved the test module functionality.
  • Added support for IP collapse to ranges and CIDRs.
  • Renamed the Sub-Feeds parameter to Services in the instance configuration for the following feeds:
    • Cloudflare Feed
    • AWS Feed
    • abuse.ch SSL Blacklist Feed
    • Blocklist_de Feed
    • Recorded Future RiskList Feed
    • Spamhaus Feed
    • Cloudflare Feed
    • AWS Feed
    • Recorded Future RiskList Feed
    • Spamhaus Feed

Scripts

2 New Scripts

• ThreatIntelManagementGetIncidentsPerFeed
  Gets the total number of incidents per OOTB feed.
• ExtractDomainAndFQDNFromUrlAndEmail
  Extracts domains and FQDNs from URLs and emails.

Playbooks

28 New Playbooks

• TIM - Review Indicators Manually
  This playbook helps analysts manage the manual process of reviewing indicators. The playbook indicator query is set to search for indicators that have the 'pending review' tag. The playbook's layout displays all of the related indicators in the summary page. While reviewing the indicators, the analyst can go to the summary page and tag the indicators accordingly with tags 'such as, 'approved_black', 'approved_white', etc. Once the analyst completes their review, the playbook can optionally send an email with a list of changes done by the analyst which haven't been approved. Once complete, the playbook removes the 'pending review' tag from the indicators.
• TIM - ArcSight Add Domain Indicators
  This playbook queries indicators based on a predefined query or results from a parent playbook and adds the resulting indicators to an ArcSight Active List. The Active List-ID should also be defined in the playbook inputs, as well as the field name in the Active list to add to.
• TIM - Process Indicators Against Approved Hash List
  This playbook checks if file hash indicators exist in a Cortex XSOAR list. If the indicators exist in the list, they are tagged as approved_hash.
• TIM - Process Indicators Against Business Partners Domains List
  This playbook processes indicators to check if they exist in a Cortex XSOAR list containing the business partner domains, and tags the indicators accordingly.
• TIM - QRadar Add IP Indicators
  This playbook queries indicators based on a pre-defined query or results from a parent playbook and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs.
• TIM - Add IP Indicators To SIEM
  This playbook receives indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to your SIEM.
• TIM - Run Enrichment For Hash Indicators
  This playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators.
• TIM - ArcSight Add IP Indicators
  This playbook receives indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to SIEM.
• TIM - Process Indicators - Fully Automated
  This playbook tags indicators ingested from high reliability feeds. The playbook is triggered by a Cortex XSOAR job. The indicators are tagged as approved_white, approved_black, approved_watchlist. The tagged indicators will be ready for consumption for 3rd party systems such as SIEM, EDR, and so on.
• TIM - Process Indicators Against Organizations External IP List
  This playbook processes indicators to check if they exist in a Cortex XSOAR list containing the organizational External IP addresses, and tags the indicators accordingly.
• TIM - Run Enrichment For Url Indicators
  This playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators.
• TIM - QRadar Add Url Indicators
  This playbook queries indicators based on a pre-defined query or the results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs.
• TIM - Process Indicators Against Business Partners IP List
  This playbook processes indicators to check if they exist in a Cortex XSOAR list containing business partner IP addresses, and tags the indicators accordingly.
• TIM - Run Enrichment For Domain Indicators
  This playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators.
• TIM - Run Enrichment For All Indicator Types
  This playbook performs enrichment on indicators based on playbook query, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators.
• TIM - Add Domain Indicators To SIEM
  This playbook receives indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to the SIEM.
• TIM - QRadar Add Domain Indicators
  This playbook queries indicators based on a pre-defined query or results from a parent playbook and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs.
• TIM - Add All Indicator Types To SIEM
  This playbook runs sub-playbooks that send indicators of all types to your SIEM.
• TIM - Run Enrichment For IP Indicators
  This playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators.
• TIM - Add Bad Hash Indicators To SIEM
  This playbook receives file-hash indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to your SIEM.
• TIM - Add URL Indicators To SIEM
  This playbook receives URL indicators from its parent playbook and provides the indicators as inputs for the sub-playbooks that push the indicators to your SIEM.
• TIM - Indicator Auto Processing
  This playbook uses several sub playbooks to process and tag indicators, which is used to identify indicators that shouldn't be blacklisted. For example, IP indicators that belong to business partners or important hashes we wish to not process.
• TIM - Process File Indicators With File Hash Type
  This playbook processes file indicator by tagging them with the relevant file hash type tag, such as Sha256, Sha1, and Md5.
• TIM - Process Indicators Against Business Partners URL List
  This playbook processes indicators to check if they exist in a Cortex XSOAR list containing business partner URLs, and tags the indicators accordingly. To enable the playbook, provide a Cortex XSOAR list name containing business partner URLs.
• TIM - Process Indicators - Manual Review
  This playbook is triggered by a job and tags indicators ingested by feeds which require manual approval. The playbook optionally concludes with creating a new incident that includes all of the indicators that the analyst must review.
• TIM - QRadar Add Bad Hash Indicators
  This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs.
• TIM - ArcSight Add Bad Hash Indicators
  This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to an ArcSight Active List. The Active List-ID should be defined in the playbook inputs, as well as the field name in the Active list to which to add the indicators.
• TIM - ArcSight Add URL Indicators
  This playbook queries indicators based on a pre-defined query or results from a parent playbook and adds the resulting indicators to an ArcSight. Active List. The Active List-ID should also be defined in the playbook inputs as well as the field name in the Active list to add to.

Layouts

New Layout

• Review Indicators Manually - Summary
  New layout for the Review Indicators Manually type.

10 Improved Layouts

• domainRep - Indicator Details
  • Changed the domain ID to the new domain indicator ID.
• Added the indicator field Aggregated Reliability, which is the aggregated score of the feed and added custom details and Extended details sections to the following layouts:
  • accountRep - Indicator Details
  • emailRep - Indicator Details
  • hostRep - Indicator Details
  • unifiedFileRep - Indicator Details
  • cveRep - Indicator Details
  • registryKey - Indicator Details
  • ipRep - Indicator Details
  • urlRep - Indicator Details
  • domainRep - Indicator Details