Demisto Content Release Notes for version 19.11.1 (34712)

Published on 26 November 2019


7 New Integrations

  • Azure Security Center v2 Unified security management and advanced threat protection across hybrid cloud workloads.
  • JsonWhoIs Provides data enrichment for domains and IP addresses.
  • Microsoft Graph Mail Single User Microsoft Graph allows Demisto authorized access to a user's Outlook mail data in a personal or organization account.
  • PhishLabs IOC EIR Get live feeds of IOC data from PhishLabs.
  • Tanium v2 Tanium endpoint security and systems management.
  • Azure Compute v2 Create and manage Azure VMs.
  • FireEye Helix FireEye Helix is a security operations platform that integrates security tools and augments them with next-generation SIEM, orchestration and threat intelligence tools such as alert management, search, analysis, investigations and reporting.

25 Improved Integrations

  • EWS v2
    • Improved logging.
    • Added the Max incidents per fetch parameter, which specifies the maximum number of incidents to retrieve per fetch. The maximum is 50.
  • Microsoft Graph User Added pagination to the msgraph-user-list command.
  • Red Canary Added the Reason, EndpointID, and EndpointUserID keys to detections context.
  • Hybrid Analysis
    • Added the jobID, sha256 and environmentID arguments to the hybrid-analysis-get-report-status command.
    • Added the malicious_threat_levels argument to the hybrid-analysis-detonate-file command.
    • The hybrid-analysis-detonate-file command now works as expected.
  • RSA Archer Fixed an issue with the presentation of user display names.
  • Carbon Black Enterprise Response Added the cb-binary-download command, which replaces the deprecated cb-binary-get command.
  • ArcSight ESM v2 Fixed an issue with the response encoding.
  • Anomali ThreatStream v2 Fixed an issue with DBotScore context data.
  • SentinelOne V2 Fixed an issue in the Fetch incidents function.
  • Palo Alto Networks PAN-OS
    • Added support for a list of job_id in the panorama-query-logs and panorama-check-logs-status commands.
    • Added the ip argument in the panorama-query-logs command.
  • IBM QRadar Fixed an issue in outputs for the get-search-results command.
  • Fixed an issue in the tenable-io-get-vulnerabilities-by-asset command.
  • Palo Alto Networks WildFire v2
    • Added validation to the server parameter.
    • Fixed an issue with DBotScore context data.
  • RSA NetWitness Packets and Logs Fixed an issue in query parsing.
  • MISP V2 Added support to search events by tags using the logical operators AND, OR, and NOT.
  • Stealthwatch Cloud Fixed an issue where incidents were fetched multiple times.
  • Slack v2
    • Added Slack API rate limit call handling.
    • Added an optional parameter to specify a proxy URL to use with the Slack API.
  • McAfee Advanced Threat Defense Fixed an issue with the integration's proxy settings.
  • Proofpoint TAP v2
    • Fixed the fetch-incidents function, which did not fetch duplicate values.
    • Added the proofpoint-get-forensics command.
    • Added context outputs for the proofpoint-get-events command.
  • SumoLogic
    • Added the fetchDelay parameter, which defines the time between fetch-incidents executions.
    • Added the fetchRecords parameter to fetch aggregate results (instead of messages).
    • Updated the SumoLogic logo.
  • AWS - ACM Bugfix for Proxy/Insecure issues.
  • Atlassian Jira (v2) Added the attachmentName parameter to the jira-issue-upload-file command, which sets the attachment name in Jira.
  • nmap Fixed an issue in nmap scans with the -sn flag.
  • Have I Been Pwned? V2 Added batch support for domain and email commands.
  • Cofense Triage Fixed an issue with the test module.

4 Deprecated Integrations

  • ExtraHop We recommend using the ExtraHop Reveal(x) integration instead.
  • Azure Compute Deprecated.
  • Azure Security Center Deprecated.
  • AlienVault OTX We recommend using the AlienVault OTX v2 integration instead.


2 New Scripts

  • SetIfEmpty Checks an object for an empty value and returns a preset default value.
  • ExtractFQDNFromUrlAndEmail Extracts FQDNs from URLs and emails.

7 Improved Scripts

  • PositiveDetectionsVSDetectionEngines
    • Displays a bar chart of the number of Positive Detections out of overall detections. Tagged as dynamic-indicator-section.
    • Fixed an issue that made zero-values return wrong results.
  • CommonServerPython BaseClient now uses the session function to maintain an open session with the server.
  • FilterByList Added the option to search for an exact match.
  • ExtractDomainFromUrlAndEmail Added support to identify URLs and domains prefixed with http: or http:\.
  • UnEscapeURLs Added support to identify URLs and domains prefixed with http: or http:\.
  • StixParser You can now parse single-object STIX 2 files.
  • SumList
    • Fixed an issue with handling input as a comma-separated string.
    • Added support for floating numbers.


11 New Playbooks

  • Access Investigation - Generic - NIST Investigates an access incident by gathering user and IP information, and handling the incident based on the stages in "Handling an incident - Computer Security Incident Handling Guide" by NIST.
  • PAN-OS - Block Domain - External Dynamic List Blocks domains using Palo Alto Networks Panorama or Firewall External Dynamic Lists.
  • Convert file hash to corresponding hashes Enables you to get all of the corresponding file hashes for a file even if there is only one hash type available.
  • Tanium - Get Saved Question Result Uses generic polling to get saved question results.
  • Endpoint Malware Investigation - Generic This playbook is triggered by a malware incident from an Endpoint type integration. The playbook performs enrichment, detonation, and hunting within the organization, and remediation on the malware.
  • NIST - Handling an Incident Template This playbook contains the phases to handling an incident as described in the Handling an Incident section of NIST - Computer Security Incident Handling Guide.
  • Prisma Cloud Remediation - AWS IAM Password Policy Misconfiguration Remediates Prisma Cloud AWS IAM password policy alerts.
  • Prisma Cloud Remediation - AWS IAM Policy Misconfiguration Remediates Prisma Cloud AWS IAM policy alerts.
  • NIST - Lessons Learned This playbook assists in processing an incident after it occurs and facilitates the lessons learned stage.
  • FireEye Helix Archive Search Creates an archive search in FireEye Helix, and fetches the results as events.
  • Tanium - Ask Question Uses generic polling to get question results.

6 Improved Playbooks

  • Impossible Traveler The countries from which the user logged in are now saved in incident fields and are displayed in the layout.
  • Isolate Endpoint - Generic Added playbook outputs.
  • Panorama Query Logs Added the ip argument to the playbook.
  • Phishing - Core Fixed an issue where Rasterize would attempt to run even if inactive.
  • Traps Isolate Endpoint Added playbook outputs.
  • Extract Indicators From File - Generic v2 Extracts indicators from a file.


Improved Widget

  • Page Break Widget Fixed an issue in the page break widget for PDF and DOC reports.

Incident Fields

  • Threat Actor The threat actor.
  • Host Name The host name.
  • Previous Country The country from which the user previously logged in.
  • NIST Stage The investigation's current NIST stage.
    • Associated to Malware incident type.
    • Associated the field with the Impossible Traveler event type.

Incident Layouts

New Incident Layout

  • Malware - Summary Added a layout for the Malware incident type. Requires Demisto v5.0.

Improved Incident Layout

  • Impossible Traveler - Summary Added a layout for the Impossible Traveler incident type.

Classification & Mapping

New Classification & Mapping

  • Microsoft Graph Mail Single User Added a classifier for the Microsoft Graph Mail Single User integration.


  • Added support to identify URLs and domains prefixed with http: or http:\.
  • Added support for FQDN extraction as a domain indicator type.