demisto/content 20.4.0

Demisto Content Release 20.4.0 (47887)

on GitHub

Demisto Content Release Notes for version 20.4.0 (47887)

Published on 14 April 2020

Breaking Changes

Deleted several deprecated playbooks. See the Playbooks section for full details. This is only applicable to Cortex XSOAR 5.5.

Integrations

9 New Integrations

• Sixgill DarkFeed™ Threat Intelligence
  Leverage the power of Sixgill to supercharge Cortex XSOAR with real-time Threat Intelligence indicators. Get IOCs such as domains, URLs, hashes, and IP addresses straight into the Demisto platform.
• MongoDB
  Use the MongoDB integration to search and query entries in your MongoDB.
• MongoDB Log
  Writes log data to a MongoDB collection.
• MongoDB Key Value Store
  Manipulates key/value pairs according to an incident utilizing the MongoDB collection.
• Okta v2
  Integration with Okta's cloud-based identity management service.
• Cisco ASA
  Use the Cisco Adaptive Security Appliance Software integration to manage interfaces, rules, and network objects.
• Cisco Firepower
  Use the Cisco Firepower integration for unified management of firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection.
• Azure Sentinel
  Use the Azure Sentinel integration to get and manage incidents and get related entity information for incidents.
• SafeBreach v2
  SafeBreach automatically executes thousands of breach methods from its extensive and growing Hacker’s Playbook™ to validate security control effectiveness. Simulations are automatically correlated with network, endpoint, and SIEM solutions providing data-driven SafeBreach Insights for holistic remediation to harden enterprise defenses.

18 Improved Integrations

• Sixgill Deep Insights
  • Updated the README.
  • Updated the integration Docker image.
  • Added support to use proxies.
  • Updated tests.
  • Updated the integration logo.
  • Removed the get-indicators command.
  • Removed playbooks that used the get-indicators command.
• Expanse
  • Added support for pulling behavior data to create new incidents.
  • Added support for the expanse-get-behavior command.
  • Added support for the expanse-get-certificate command.
• Exabeam
  Fixed connection error without proxy.
• SlashNext Phishing Incident Response
  Added the slashnext-api-quota command, which gets information about user's API quota.
• Microsoft Teams
  • Set the listener host to 0.0.0.0 in order to handle IPv6.
  • Fixed an issue where the email address of the message sender was not handled properly.
• Slack v2
  Reduced the maximum number of threads used by the integration.
• MISP v2
  Fixed the integration filter parameter, Influence on the Entry context returned.
• Fidelis Elevate Network
  Fixed an issue with partial results parsing.
• Have I Been Pwned? v2
  Added the pwned-username command, which enables searching usernames.
• Prisma Cloud (RedLock)
  • Improved logging for fetch_incidents.
  • Improved error handling.
• SplunkPy
  Added the splunk-job-status command, which checks the status of a job.
• AWS - EC2
  Added the following commands.
  • aws-ec2-delete-subnets
  • aws-ec2-describe-internet-gateway
  • aws-ec2-detach-internet-gateway
  • aws-ec2-delete-internet-gateway
  • aws-ec2-create-traffic-mirror-session
  • aws-ec2-delete-vpc
  • Fixed an issue where the email address of the message sender was not handled properly.
• IBM X-Force Exchange v2
  Fixed an issue in the file command.
• TAXII Server
  Updated the reference to the traffic light protocol indicator field to use the new cliname.
• AlienVault USM Anywhere
  Fixed an issue where fetching incidents created duplicate incidents.
• VulnDB
  Improved exception parsing when the API quota is exceeded.
• ExtraHop Reveal(x) v2
  Updated the names of alert rule commands to clarify that these commands only manage alert rules, they do not fetch alert events.
• Palo Alto Networks Cortex XDR - Investigation and Response
  • Fixed the issue where the xdr-isolate-endpoint command failed in the following situations:
    • The endpoint was disconnected.
    • The isolation was still pending.
    • The isolation cancellation was still pending.
  • Fixed the issue where the xdr-unisolate-endpoint failed in the following situations:
    • The endpoint was disconnected.
    • The isolation was still pending.
    • The isolation cancellation was still pending.
• Palo Alto Networks BPA
  Updated the integration name to Palo Alto Networks BPA.

Feeds (From Cortex XSOAR 5.5 only)

Added the Tags parameter to the following feeds:

• Azure Feed
• Bambenek Consulting Feed
• Blocklist_de Feed
• Cloudflare Feed
• DShield Feed
• Fastly Feed
• Feodo Tracker Hashes Feed
• Feodo Tracker IP Blocklist Feed
• HTTPFeedApiModule
• JSON Feed
• Malware Domain List Active IPs Feed
• Plain Text Feed
• Spamhaus Feed

Improved Feed

• Tor Exit Addresses Feed
  Added default mapping of indicator fields.

Scripts

New Script

• HTMLtoMD
  Converts the passed HTML to Markdown.

5 Improved Scripts

• ParseEmailFiles
  Improved handling of attachments.
• DockerHardeningCheck
  Added the memory_check argument to specify how to test memory limitations.
• FormattedDateToEpoch
  Fixed an issue where time conversion didn't support timezone.
• SlackAsk
  The script will now send a message using the Slack V2 integration only.
• GetLicenseID
  Fixed an issue where the script wasn't returning results.

Playbooks

5 New Playbooks

• SafeBreach Rerun Insights
  Reruns a SafeBreach insight based on ID, and waits for the playbook to completes. Returns the updated insight object after post rerun.
• SafeBreach Insights Feed Playbook
  Triggers automated remediation for all SafeBreach generated indicators generated by insights. Then it reruns related insights and tags remaining indicators as not remediated ("NotRemediated" tag).
• DBot Create Phishing Classifier V2 From File
  Creates a phishing classifier using machine learning. The classifier is based on incidents files extracted from email content.
• Get Mails By Folder Paths
  Gets emails from specific folders and pre-processes them using EWS.
• Slack - General Failed Logins v2.1
  Investigates a failed login event. The playbook interacts with the user via the Slack integration, checks whether the logins were a result of the user's attempts or an attack, raises the severity, and expires the user's password according to the user's replies.

8 Improved Playbooks

• QRadar Indicator Hunting V2
  Improved the AQL query.
• Splunk Indicator Hunting
  Fixed transformer and task input.
• TIM - Process Indicators Against Business Partners IP List
  Removed hard-coded list name from inputs.
• TIM - Process Indicators Against Organizations External IP List
  Removed default list names.
• TIM - Run Enrichment For Hash Indicators
  Fixed input name.
• TIM - Process Indicators - Fully Automated
  Added conditional tasks to check for result scores.
• Panorama Query Logs
  Added timeout to generic polling.
• PAN-OS Commit Configuration
  Improved the error message when a commit or push fails.

Deprecated Playbook

• Get Mails By Folder Pathes
  Use the Get Mails By Folder Paths playbook instead.

Deleted Playbooks (For Cortex XSOAR 5.5 only)

The following deprecated playbooks have been deleted.

• QRadar Add Url Indicators
  Use the TIM - QRadar Add Url Indicators playbook instead.
• QRadar Add IP Indicators
  Use the TIM - QRadar Add IP Indicators playbook instead.
• QRadar Add Hash Indicators
  Use the TIM - QRadar Add Bad Hash Indicators playbook instead.
• QRadar Add Domain Indicators
  Use the TIM - QRadar Add Domain Indicators playbook instead.
• Process Url Indicators
  Use the TIM - Add Url Indicators to SIEM playbook instead.
• Process IP Indicators
  Use the TIM - Add IP Indicators To SIEM playbook instead.
• Process Hash Indicators
  Use the TIM - Add Bad Hash Indicators To SIEM playbook instead.
• Process Domain Indicators
  Use the TIM - Add Domain Indicators To SIEM playbook instead.
• ArcSight Add Domain Indicators
  Use the TIM - ArcSight Add Domain Indicators playbook instead.
• ArcSight Add Hash Indicators
  Use the TIM - ArcSight Add Bad Hash Indicators playbook instead.
• ArcSight Add IP Indicators
  Use the TIM - ArcSight Add IP Indicators playbook instead.

Layouts

New Layouts

• GCP Compute Engine Misconfiguration - Summary

Improved Layout

• Indicator Feed - New/Edit
  Added the New/Edit Form layout for the Indicator Feed incident type.