Demisto Content Release Notes for version 19.10.0 (30654)

Published on 02 October 2019

Integrations

3 New Integrations

  • BitDam Use the BitDam integration to submit files for analysis.
  • Palo Alto Networks Traps Use the Palo Alto Networks Traps integration to initiate scans, retrieve files from events, isolate endpoints, quarantine files, and manage the blacklist.
  • Exabeam Use the Exabeam Security Management Platform integration to get data and labels for users and to get data for watchlists.

15 Improved Integrations

  • ArcSight ESM v2 Limited the incident fetch limit to 50 incidents per fetch.
  • Palo Alto Networks AutoFocus V2 Improved handling of empty responses for the autofocus-samples-search and autofocus-sessions-search commands.
  • Have I Been Pwned? V2
    • Added handling for cases where the rate limit is exceeded.
    • Added the max_retry_time integration parameter, which defines the maximum time per request.
  • AttackIQ Platform Changed the integration name from AttackIQ FireDrill to AttackIQ Platform.
  • BluecatAddressManager
    • Added the bluecat-am-get-range-by-ip command.
    • Improved handling of cases in which an error is returned from querying a non-existing IP address.
  • Microsoft Teams
    • Added support for single port mapping.
    • Added the microsoft-teams-integration-health command.
  • OnboardingIntegration Fixed an issue where incidents weren't fetched when the frequency parameter was set.
  • Shodan v2 Added display name clarification.
  • Slack v2 Added support for sending blocks (graphical attachments) in messages. For more information see the integration documentation.
  • SplunkPy Added the Earliest time to fetch and Latest time to fetch parameters, which are the names of the Splunk fields whose value defines the query's earliest and latest time to fetch.
  • PagerDuty v2 Added new arguments to the PagerDuty-get-users-on-call-now command.
    • escalation_policy_ids
    • schedule_ids
  • Windows Defender Advanced Threat Protection Fixed an issue in the fetch incidents functionality.
  • Snowflake Fixed an issue in the fetch incidents functionality.
  • SentinelOne V2
    • Fixed an issue with the sentinelone-disconnect-agent command.
    • Fixed human-readable output in the sentinelone-get-threat command in cases where the content_hash does not exist.
  • Recorded Future Added the Suspicious Threshold parameter.

Scripts

New Script

  • PanwIndicatorCreateQueries The script accepts indicators as input and creates an indicator query in the relevant Palo Alto Networks products.

6 Improved Scripts

  • FilterByList Regular expressions (regex) now work as expected.
  • ParseEmailFiles Improved handling for smime signed file attachments in MSG emails.
  • CheckEmailAuthenticity Fixed an issue that prevented playbooks from using this script.
  • CommonServerPython
    • Added requests debugging logger when debug-mode=true.
    • Added the BaseClient and DemistoException objects.
    • Added the build_dbot_entry and build_malicious_dbot_entry functions.
    • Added spaces between cells for tableToMarkdown function output, to prevent auto-extract over multiple cells.
  • SlackAsk Added support for users to reply to messages received from the Demisto integration using buttons. For more information see the integration documentation.
  • SaneDocReports
    • Fixed several issues related to tables in reports generated as DOCX files.
    • Generating the new investigation layout in a report as a DOCX file works as expected.

Playbooks

2 New Playbooks

  • AutoFocusPolling Use this playbook as a sub-playbook to query the Palo Alto Networks AutoFocus threat intelligence system. This sub-playbook is the same as the generic polling sub-playbook except that it provides outputs in the playbook. The reason for that is that in AutoFocus it is not possible to query the results of the same query more than once, so the outputs have to be in the polling context.
  • Autofocus Query Samples, Sessions and Tags Use this playbook to query the PANW threat intelligence AutoFocus system. The playbook accepts indicators such as IPs, hashes, and domains to run basic queries or model advanced queries that can leverage several query parameters. We recommend that you create advanced queries using the AutoFocus UI https://autofocus.paloaltonetworks.com/#/dashboard/organization to created a query and then use the export search button. The result can be used as a playbook input.

3 Improved Playbooks

  • Panorama Query Logs Fixed an issue in the Panorama Query logs playbook.
  • Cortex XDR Incident Handling The Is AutoFocus Enabled? task now checks for the AutoFocus v2 integration.
  • Phishing Investigation - Generic v2 Fixed an issue where the email authenticity check task failed to find the relevant script.

Incident Layouts

New Incident Layout

  • GDPR Data Breach - Summary Added a new layout for the GDPR Data Breach incident type.

Improved Incident Layout

  • Phishing - Summary Added email authenticity check to phishing incident layout (summary page).

Assets