Demisto Content Release Notes for version 19.1.1 (16961)

Published on 13 January 2019

Integrations

2 New Integrations

  • CIRCL CIRCL Passive DNS is a database storing historical DNS records from various resources. CIRCL Passive SSL is a database storing historical X.509 certificates seen per IP address. The Passive SSL historical data is indexed per IP address. For more information, see the CIRCL documentation.
  • MISP V2 Malware information sharing platform and threat sharing. This integration replaces the MISP (Deprecated) integration.

10 Improved Integrations

  • Pwned Fixed an issue in the email command that affected backward compatibility.

  • AbuseIPDB

    • Fixed context issues.
    • Added the AbuseIPDB-PopulateIndicators script.
  • Cybereason

    • Improved implementation of malop fetching as incidents.
    • Added 5 new commands:
      • cybereason-prevent-file
      • cybereason-unprevent-file
      • cybereason-query-file
      • cybereason-query-domain
      • cybereason-query-user

    For more information, see the Cybereason documentation.

  • Google Vault

    • Added 4 new commands:
      • gvault-get-drive-results
      • gvault-get-mail-results
      • gvault-get-groups-results
      • gvault-download-results
    • Added 4 new Google Vault playbooks:
      • Google Vault - Search Mail
      • Google Vault - Search Drive
      • Google Vault - Search Groups
      • Google Vault - Display results
      • In context, Export objects were moved into matching Matter objects (this change is not backward compatible).

    For more information, see the Google Vault documentation.

  • IntSights

    • The get_alerts command now retrieves all alert details.
    • Added the time-delta argument, which retrieves alerts based on a given time delta (in days).

    For more information, see the IntSights documentation.

  • ServiceNow Improved handling of empty responses and missing fields.

  • Cisco Threat Grid You can now submit a file that has unicode characters in the name.

  • TruSTAR Added 4 new commands:

  • Have I Been Pwned? Added DBot score.

  • ThreatConnect

    • Added context and markdown to existing commands.
    • Added new commands.

Scripts

7 New Scripts

  • AbuseIPDBPopulateIndicators Extracts blacklisted IP addresses from AbuseIPDB, and populates indicators accordingly.
  • ChangeRemediationSLAOnSevChange Changes the remediation SLA when a change in incident severity occurs.
  • CopyContextToField Copy a context key to an incident field to multiple number of incidents, based on a query.
  • CybereasonPreProcessingExample Run this preprocessing script when fetching Cybereason malops. The script checks if a malop was already fetched, and will then update the existing incident, otherwise it will create a new incident.
  • DT This automation allows the usage of DT scripts within playbook transformers.
  • LinkIncidentsWithRetry Running multiple link incidents simultaneously can cause DB version errors. Use the LinkIncidentsWithRetry script to avoid this error.
  • StopTimeToAssignOnOwnerChange Stops the Time To Assign timer when the incident owner changes.

6 Improved Scripts

  • cveReputation Added a fixed number of retries to execute the cve-search command when a 404 error is returned.
  • ProofpointDecodeURL Added a helpful error description when a URL is not found in the query.
  • SSDeepReputation You can now use this script as an indicator reputation script.
  • SplunkPySearch
    • Fixed 'Missing headers param' bug.
    • Added error validation for the command result.

Deprecated Scripts

  • misp_download_sample Script is deprecated, use the misp-download-sample command in the MISP V2 integration instead.
  • misp_upload_sample Script is deprecated, use the misp-upload-sample command in the in MISP V2 integration instead.

Playbooks

4 New Playbooks

  • Google Vault - Display Results Queues and displays Google Vault search results.
  • Google Vault - Search Drive Performs Google Vault searches in Drive accounts, and displays the results.
  • Google Vault - Search Groups Performs Google Vault searches in Groups, and displays the results.
  • Google Vault - Search Mail Performs Google Vault searches in Mail accounts, and displays the results.

Widgets

1 Improved Widget

  • MTTR by Type MTTR is now in the timeline widget.

Demisto v4.1.0

This content is available on Demisto v4.1.0 and later

Playbooks

Improved Playbook

  • Phishing Investigation - Generic Added detection and remediation timers based on SLA fields.

Dashboards

1 New Dashboard

  • SLA Displays an overview of your SLAs.

Widgets

4 New Widgets

  • Detection SLA by Status The detection SLA status of all incidents that their severity was determined. The widget takes into account incidents from the last 30 days by default, and inherits new time range when the dashboard time changes.
  • Mean Time to Detection The mean time (average time) to detection across all incidents whose severity was determined. By default, the widget takes into account incidents from the last 30 days.
  • MTTD by Type A widget that displays the Mean Time to Detection, by incident type.
  • Remediation SLA by Status The remediation SLA status of all incidents that initiated a remediation process. By default, the widget takes into account incidents from the last 30 days, and inherits a new time range when the dashboard time changes.

Incident Fields

  • Added Detection SLA field.
  • Added Remediation SLA field.
  • Added Time to Assignment field.

Incident Layouts

1 New Incident Layout

  • Phishing - Quick View Added SLAs for Quick View layouts.

1 Improved Incident Layout

  • Phishing - Summary New SLA content.

Assets