Demisto Content Release Notes for version 19.10.1 (31209)
Published on 15 October 2019
Notice: Breaking Change
SplunkPy: This update adds the app parameter settings. After the update is complete, there is need to re-save existing instances of SplunkPy. Open the instance configuration, Test the instance and then save. The app parameter may be left empty.
- SMIME Messaging Use the S/MIME (Secure Multipurpose Internet Mail Extensions) integration to send and receive secure MIME data.
14 Improved Integrations
- Kafka v2
- Added partitions to kafka-print-topic command outputs.
- Added a parameter to set the maximum number of messages to fetch.
- Improved debug logging outputs.
- Improved fetch incidents implementation (breaks backward compatibility).
- Slack v2 Added support for changing the display name and icon for the Demisto bot in Slack.
- DUO Admin Proxy configuration now works as expected.
- Palo Alto Networks Traps Updated the integration category to Endpoint.
- Active Directory Query v2 Added support for debug-mode, which logs extended information when enabled.
- RSA Archer Added support for European timestamps.
- Hybrid Analysis Fixed an issue where hybrid-analysis-search command returned an error without using the query argument.
- Prisma Cloud (RedLock)
- Updated the display name to: Prisma Cloud (RedLock).
- Added the Trust any certificate configuration parameter.
- Microsoft Graph Mail
- Improved the description of the search argument in msgraph-mail-list-emails command.
- Fixed an issue where the msgraph-mail-delete-email command always returned an error.
- ThreatQ v2
Fixed results numbering for the following commands.
- Updated the integration to use Chrome driver instead of phantomJS (requires Demisto 5.0).
- Improved control over the window size of the output.
- Added the app parameter, which is the app context of the namespace.
- Improved the human readable output of the search command.
- TruSTAR Fixed an issue where the trustar-search-indicator command returned an incorrect context output.
- Fixed an issue where indicators were not extracted correctly in intsight-get-iocs command.
- Improved implementation of the following commands:
2 New Scripts
- AwsEC2GetPublicSGRules Find Security Group rules which allow ::/0 (IPv4) or 0.0.0.0/0.
- PopulateCriticalAssets Populates critical assets in a grid field that has the section headers Asset Type and Asset Name.
2 Improved Scripts
- Added the is_debug_mode wrapper function, which checks if debug-mode is enabled.
- The return_outputs function can now return readable_output.
- ExtractDomainFromUrlAndEmail Added support for URLs contains non-ASCII characters.
5 New Playbooks
- Traps Quarantine Event This playbook accepts a file hash and quarantines the file using Traps.
- Traps Blacklist File This playbook accepts a file SHA256 hash and adds it to a blacklist using the Traps integration.
- Traps Isolate Endpoint This playbook accepts an endpoint ID from the Traps integration and isolates the endpoint.
- Prisma Cloud Remediation - AWS Security Groups Allows Internet Traffic To TCP Port This playbook extracts the TCP public Security Groups rule and provides manual/automatic options to have the rules revoked.
- Palo Alto Networks - Endpoint Malware Investigation This playbook is triggered by a Palo Alto Networks Cortex threat alert, generated by Traps. The playbook performs host enrichment for the source host with Palo Alto Networks Traps, enriches information for the suspicious file with Palo Alto Networks MineMeld and AutoFocus, and automatically performs file detonation for the extracted file. It then performs IOC enrichment with MineMeld for all related IOCs, and calculates the incident severity based on all the findings.
3 Improved Playbooks
- Calculate Severity - Critical Assets v2 Added a task that sets all found critical assets to a new incident field.
- Calculate Severity - Generic v2 Fixed an issue where the current incident severity was not always taken into account.
- Palo Alto Networks - Malware Remediation Added Traps remediation sub-playbooks.
- PID PID.
- Blocked Action Blocked Action.
- Subtype Subtype.
- Infected Hosts Infected hosts found in the investigation.
- Isolated Isolated.
- Device Name Device Name.
- Traps ID Traps event ID.
- Agent ID Agent ID.
- Malicious Behavior Malicious Behavior.
- Quarantined Whether the indicator is quarantined or isolated.
- Terminated Action Terminated Action.
- Src OS Src OS.
- Command Line Command Line.
- File Size File Size.
- Triggered Security Profile Triggered Security Profile.
- Critical Assets A table of critical assets involved in the incident, including the name and asset type.
- Parent Process ID Parent Process ID.
New Incident Layout
- Traps - Summary New layout for Traps incident type.
2 Improved Incident Layouts
- Phishing - Summary
- Reorganized several elements of the layout.
- Added a field that displays the result for an email authenticity check.
- Added a field that displays email headers.
- Added a field that displays the email address of the user who reported the phishing email.
- Added a field that displays the email classification.
- Added a field that displays the phishing sub-type.
- Added a field that displays URL SSL verification results.
- Added a section that displays URL screenshots.
- Added a field that displays critical assets involved in the phishing incident.
- Phishing - Summary Added a list of critical assets to the summary layout of phishing incidents.
Classification & Mapping
New Classification & Mapping
- Palo Alto Networks Cortex New classifier for Palo Alto Networks Cortex integration for Traps incidents.
- The regex now recognizes URL query syntax.
- Added support for non-English languages.
- Added support for asterisk, pipeline, and various dashes.