Demisto Content Release Notes for version 19.11.0 (33434)

Published on 12 November 2019

Integrations

6 New Integrations

  • Vectra v2 Automated attacker behavior analytics.
  • Google Key Management Service Use the Google Key Management Service API for CryptoKey management and encrypt/decrypt functionality.
  • ExtraHop Reveal(x) Network detection and response. Complete visibility of network communications at enterprise scale, real-time threat detections backed by machine learning, and guided investigation workflows that simplify response.
  • SecurityAdvisor Contextual coaching and awareness for end users.
  • AlienVault OTX v2 Query Indicators of Compromise in AlienVault OTX.
  • DomainTools Iris A threat, intelligence, and investigation platform for domain names, IP addresses Email addresses, Name Severs, and so on.

22 Improved Integrations

  • ArcSight Logger
    • Fixed an issue where date fields in search results were in epoch format instead of human readable format.
    • Added a function to handle chart operations in the logger search.
  • SplunkPy Increased the maximum fetch limit for Splunk.
  • Qualys Improved implementation of the qualys-vm-scan-launch command.
  • Uptycs Fixed an issue where users could not set an asset tag with a key that already exists by adding a new column, ancestor_list, to the process_events table in osquery. This simplifies computing of the parent-child lineage of processes.
  • Netskope Added the ability to fetch alerts as incidents.
  • Kenna Improved inputs and outputs of the kenna-search-fixes command.
  • Red Canary Fixed an issue where non-Active Directory user names caused an "index out of range" exception.
  • Rasterize Added support for the px suffix in the width and height parameters.
  • Palo Alto Networks PAN-OS
    • Fixed an issue where the panorama-custom-block-rule command failed when trying to block an EDL or an address group object.
    • Changed the url argument from equals to contains in the panorama-log-query command.
    • Improved descriptions in the panorama-move-rule command.
  • EWS v2
    • Improved implementation of the ews-move-item-between-mailboxes command.
    • The email body now prints to context and the War Room for the following commands:
      • ews-get-items
      • ews-search-mailbox
  • Mail Sender (New)
    • Added support for versions of smtplib that use stderr from sys.
    • Fixed support for CRAM-MD5 authentication.
  • Palo Alto Networks PAN-OS EDL Management
    • Fixed an issue where the pan-os-edl-update command failed when the file path included space characters at scp_execute().
    • Fixed an issue where the ssh_execute() function failed when the file name included space characters.
  • Palo Alto Networks Cortex Fixed an issue with the Test module.
  • RSA Archer
    • Fixed an issue in the Archer fetch incidents offset.
    • Fixed an issue in the fetched incidents details.
    • Improved errors and added debug logs.
  • BeyondTrust Password Safe Fixed an issue where stored credentials were using a non-unique identifier.
  • ProtectWise
    • Fixed an issue where events were not fetched properly.
    • Added the ability to limit the number of fetched incidents per fetch.
    • Fixed outputs for the protectwise-event-info command.
  • urlscan.io Fixed a typo in an error message.
  • Elasticsearch v2 Added support for timestamps.
  • RSA NetWitness v11.1
    • Added the Fetch Limit parameter.
    • Fixed an issue where an unsupported timestamp format caused the integration to fail.
  • Palo Alto Networks AutoFocus V2 Added descriptions to the autofocus-tag-details command.
  • Carbon Black Enterprise Response Added the decompress argument to the cb-binary-get command.
  • Kafka V2 Updated the Docker image demisto/pykafka to version 1.0.0.3321 (requires Demisto 5.0).

Scripts

14 New Scripts

  • IPv4Blacklist Transformer that returns a filtered list of IPv4 addresses, based on whether they do not match a comma-separated list of IPv4 ranges. Useful for filtering out internal IP address space.
  • IsNotInCidrRanges Checks whether an IPv4 address is not contained in one or more comma-delimited CIDR ranges.
  • IPv4Whitelist Transformer that returns a filtered list of IPv4 addresses, based on whether they match a comma-separated list of IPv4 ranges. Useful for filtering in internal IP address space.
  • GetByIncidentId Gets a value from the specified incident's context.
  • IsInCidrRanges Determines whether an IPv4 address is contained in one or more comma-delimited CIDR ranges.
  • CalculateGeoDistance Computes the distance between two sets of coordinates, in miles.
  • IsRFC1918Address A filter that determines whether an IPv4 address is in the private RFC-1918 address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). For more information, see https://en.wikipedia.org/wiki/Private_network.
  • ExtraHopTrackIncidents Links an incident investigation back to the ExtraHop Detection that created it.
  • ProvidesCommand Determines which integrations implement a specific Demisto command. The results will be returned as comma-separated values (CSV). The "Demisto REST API" integration must first be enabled.
  • CalculateTimeDifference Calculate the time difference, in minutes.
  • DBotPreProcessTextData Pre-process text data for the machine learning text classifier.
  • DBotBuildPhishingClassifier Create a phishing classifier using machine learning technique, based on email content.
  • DBotTrainTextClassifierV2 Train a machine learning text classifier.
  • GetIncidentsByQuery Gets a list of incident objects and the associated incident outputs that match the specified query and filters. The results are returned in a structured data file.

9 Improved Scripts

  • UnEscapeURLs Improved handling of Proofpoint v3 URLs.
  • SearchIncidents
    • Fixed the examples in command descriptions.
  • RegexGroups Updated the RegexGroups transformer to Python 3 in order to support special ASCII characters and additional error handling (requires Demisto 5.0).
  • SaneDocReports
    • Fixed table and list functions.
    • Fixed an issue where trends have long floating point values.
    • Fixed an issue where line charts with more than 40 columns were not readable.
  • CopyContextToField Added the ability to set the value of an incident field from the value of a context key. If the context key is a list, the first element of the list is taken as the value.
  • DeleteContext Added the auto option to the subplaybook argument. Use auto to delete either from the sub-playbook context (if the playbook is called as a sub-playbook) or from the global context (if the playbook is the master playbook).
  • CommonServerPython Fixed the IntegrationLogger auto-replace of sensitive strings.
  • HTMLDocsAutomation
    • Fixed an issue where commands in the top part were in the format name:name instead of description:name.
    • Added links for the list of commands to each command.
  • XDRSyncScript Fixed an issue where the XDRSyncScript script executed the xdr-update-incident command even when required arguments were empty.

Playbooks

11 New Playbooks

  • ExtraHop - Ticket Tracking Links the Demisto incident back to the ExtraHop detection that created it for ticket tracking purposes. Documentation was provided by ExtraHop.
  • ExtraHop - Get Peers by Host Given a host, the playbook will retrieve the peer network devices that communicated with that host in a given time range. In addition to a list of peers and protocols (sorted by bytes) the playbook returns a link to the ExtraHop Live Activity Map to visualize the peer relationships.
  • Block Indicators - Generic v2 This playbook blocks malicious Indicators using all integrations that are enabled, using several sub-playbooks.
  • Impossible Traveler This playbook investigates an event whereby a user has multiple application login attempts from various locations in a short time period (impossible traveler).
  • Indicator Pivoting - DomainTools Iris Pivots are used to gather data that share a common attribute with a domain. For instance, pivoting on an IP Address will give you back all domains related to that IP address.
  • ExtraHop - Default This is the default playbook to run for all ExtraHop Detection incidents, which handles ticket tracking and triggers specific playbooks based on the name of the ExtraHop Detection. Documentation was provided by ExtraHop.
  • Isolate Endpoint - Generic This playbook isolates a given endpoint.
  • Block File - Cybereason This playbook accepts an MD5 hash and blocks the file using the Cybereason integration.
  • Block File - Generic v2 This playbook is used to block files from running on endpoints.
  • Block File - Cylance Protect v2 This playbook accepts a SHA256 hash and adds the hash to the Global Quarantine list using the Cylance Protect v2 integration.
  • DBot Create Phishing Classifier V2 Create a phishing classifier using machine learning technique, based on email content.
  • DBot Create Phishing Classifier V2 Job Train the phishing machine learning model. This playbook should be used as job, to run repeatedly, for example every week.

3 Improved Playbooks

  • Block IP - Generic v2 Fixed output descriptions.
  • Endpoint Enrichment - Generic v2.1 Added support for the ExtraHop Reveal(x) integration.
  • Phishing Investigation - Generic v2
    • Fixed an issue where the task that saves the email address of the reporter of the phishing email was disconnected from the previous task.
    • Fixed an issue where the DT that was used to get the display name of the user who reported the email was invalid.

Widgets

New Widget

  • Page Break Widget Use the page break widget in a report to force a page break before the widgets that follow.

Incident Fields

19 New Incident Fields

  • Sign In Date Time The date and time when the second sign in of the user occurred, in ISO-8601 format.
  • Coordinates The coordinates of the location from which the user logged in.
  • Source IP The IP address from which the user initially logged in.
  • Raw Participants Raw list of participant objects associated with the ExtraHop Reveal(x) detection.
  • ExtraHop Hostname Hostname of the ExtraHop Reveal(x) that created the detection.
  • Risk Score Risk score associated with the ExtraHop Reveal(x) detection.
  • Previous Sign In Date Time The date and time when the first sign in of the user occurred, in ISO-8601 format.
  • Username The username of the account who logged in.
  • Detection ID ID of the ExtraHop Reveal(x) detection.
  • Destination IP The IP address to which the impossible traveler logged in.
  • Travel Map Link The link to a map that shows the travel path of the user.
  • Detection Update Time Timestamp of when the ExtraHop Reveal(x) detection was last updated.
  • Detection Ticketed Whether the incident is tracked to the corresponding detection in ExtraHop Reveal(x).
  • Previous Coordinates The coordinates of the location from which the user previously logged in.
  • Participants List of participant objects associated with the ExtraHop Reveal(x) detection.
  • Detection End Time Timestamp of when the ExtraHop Reveal(x) detection ended.
  • Previous Source IP The previous IP address from which the user logged in.
  • Detection URL URL of the ExtraHop Reveal(x) detection.
  • ExtraHop Appliance ID Appliance ID of the ExtraHop Reveal(x) that created the detection.

Incident Layouts

6 New Incident Layouts

  • ExtraHop Detection - Mobile Added a layout for the ExtraHop Detection incident type.
  • ExtraHop Detection - Close Added a layout for the ExtraHop Detection incident type.
  • ExtraHop Detection - New/Edit Added a layout for the ExtraHop Detection incident type.
  • ExtraHop Detection - Summary Added a layout for the ExtraHop Detection incident type.
  • Impossible Traveler - Summary Added a layout for the Impossible Traveler incident type.
  • ExtraHop Detection - Quick View Added a layout for the ExtraHop Detection incident type.

Assets