Demisto Content Release Notes for version 18.10.3 (14022)

Published on 30 October 2018


3 New Integrations

  • AWS - CloudWatchLogs Amazon Web Services CloudWatch Logs (logs). For more information, see the Amazon Web Services CloudWatch documentation.
  • BitDam BitDam secure email gateway protects against advanced content-borne threats with the most accurate prevention of known and unknown threats, at their source. For more information, see the BitDam documentation.
  • Red Canary Red Canary collects endpoint data using Carbon Black Response and CrowdStrike Falcon.

15 Improved Integrations

  • AWS - S3 Added the aws-s3-upload-file command. For more information, see the AWS S3 documentation.
  • Carbon Black Enterprise Live Response Improved the integration test.
  • IntSights Improved integration implementation and execution. For more information, see the IntSights documentation.
  • Devo Added a default results limit of 30.
  • EWS v2 Added support for Public Folders and compliance search in Office 365.
  • FireEye HX Added enforcement of passing either the defaultSystemScript argument or both the script and scriptName arguments when running the fireeye-hx-data-acquisition command.
  • Lastline For more information, see the Lastline documentation.
    - Improved outputs, error messages, and code readability.
    - Added support to insert multiple inputs for the ___lastline-get___ command.
  • PagerDuty v2 Added support to send ServiceKey with the PagerDuty-submit-event command.
  • Dell Secureworks Added support for getting ticket attachments.
  • ServiceNow
    • Added support for the catalog task ticket type.
    • Improved error messages.
  • SumoLogic Added support to use the equal sign in the query and headers arguments for the search command.
  • ThreatConnect Fixed a filter issue when the ratingThreshold argument is specified.
  • FireEye iSIGHT Added DBot score output for indicators that do not contain data.
  • McAfee ePO Added 2 commands:
    - ___epo-get-tables___
    - ___epo-query-table___
  • Cisco Umbrella Investigate Added 13 commands:
    - ___domain___
    - ___umbrella-get-related-domains___
    - ___umbrella-get-domain-classifiers___
    - ___umbrella-get-domain-queryvolume___
    - ___umbrella-get-domain-details___
    - ___umbrella-get-domains-for-email-registrar___
    - ___umbrella-get-domains-for-nameserver___
    - ___umbrella-get-whois-for-domain___
    - ___umbrella-get-malicious-domains-for-ip___
    - ___umbrella-get-domains-using-regex___
    - ___umbrella-get-domain-timeline___
    - ___umbrella-get-ip-timeline___
    - ___umbrella-get-url-timeline___


2 New Scripts

  • IsListExist Checks if a list exists in Demisto lists.
  • RegexGroups Extracts elements that are contained in all the subgroups that match the pattern.

5 Improved Scripts

  • EPOFindSystem Improved error handling.
  • FireEyeDetonateFile Added arguments to enable setting analysis type and pre-fetch when running the script.
  • PagerDutyAlertOnIncident PagerDuty API v2 is now supported.
  • UnzipFile Enabled decompression of AES encrypted files.
  • TextFromHTML Added support for multiple languages.

Deprecated Script

  • CloseInvestigation Use the closeInvestigation command.


13 New Playbooks

  • Add Indicator to Miner - Palo Alto MineMeld Add indicators to the relevant Miner using MineMeld.
  • Detonate File - BitDam Detonates one or more files using BitDam integration.
  • Block Account - Generic This playbook blocks malicious usernames using all integrations that you have enabled.
  • Block File - Carbon Black Response This playbook receives an MD5 hash and adds it to the blacklist in Carbon Black Enterprise Response..
  • Block File - Generic A generic playbook for blocking files from running on endpoints.
  • Block IP - Generic This playbook blocks malicious IPs using all integrations that you have enabled.
  • Block Indicators - Generic This playbook blocks malicious Indicators using all integrations that you have enabled.
  • Block URL - Generic This playbook blocks malicious URLs using all integrations that you have enabled.
  • Demisto Self-Defense - Account policy monitoring playbook Get list of Demisto users through the REST API, and alert if any non-SAML user accounts are found.
  • Detonate File - Lastline Detonates a File using the Lastline sandbox.
  • Detonate URL - Lastline Detonates a URL using the Lastline sandbox integration.
  • Office 365 Search and Delete Run a ComplianceSearch on Office 365 and delete the results.
  • Phishing Investigation - Generic Use this playbook to investigate and remediate a potential phishing incident. The playbook simultaneously engages with the user that triggered the incident, while investigating the incident itself.

3 Improved Playbooks

  • Detonate File - Generic Added the Lastline Detonate File playbook.
  • Detonate URL - Generic Added the Lastline Detonate URL playbook.
  • Phishing Investigation - Generic Added support for blocking malicious indicators in relevant integrations.