Demisto Content Release Notes for version 19.11.1 (34712)

Published on 26 November 2019

Integrations

7 New Integrations

• Azure Security Center v2 Unified security management and advanced threat protection across hybrid cloud workloads.
• JsonWhoIs Provides data enrichment for domains and IP addresses.
• Microsoft Graph Mail Single User Microsoft Graph allows Demisto authorized access to a user's Outlook mail data in a personal or organization account.
• PhishLabs IOC EIR Get live feeds of IOC data from PhishLabs.
• Tanium v2 Tanium endpoint security and systems management.
• Azure Compute v2 Create and manage Azure VMs.
• FireEye Helix FireEye Helix is a security operations platform that integrates security tools and augments them with next-generation SIEM, orchestration and threat intelligence tools such as alert management, search, analysis, investigations and reporting.

25 Improved Integrations

• EWS v2
  • Improved logging.
  • Added the Max incidents per fetch parameter, which specifies the maximum number of incidents to retrieve per fetch. The maximum is 50.
• Microsoft Graph User Added pagination to the msgraph-user-list command.
• Red Canary Added the Reason, EndpointID, and EndpointUserID keys to detections context.
• Hybrid Analysis
  • Added the jobID, sha256 and environmentID arguments to the hybrid-analysis-get-report-status command.
  • Added the malicious_threat_levels argument to the hybrid-analysis-detonate-file command.
  • The hybrid-analysis-detonate-file command now works as expected.
• RSA Archer Fixed an issue with the presentation of user display names.
• Carbon Black Enterprise Response Added the cb-binary-download command, which replaces the deprecated cb-binary-get command.
• ArcSight ESM v2 Fixed an issue with the response encoding.
• Anomali ThreatStream v2 Fixed an issue with DBotScore context data.
• SentinelOne V2 Fixed an issue in the Fetch incidents function.
• Palo Alto Networks PAN-OS
  • Added support for a list of job_id in the panorama-query-logs and panorama-check-logs-status commands.
  • Added the ip argument in the panorama-query-logs command.
• IBM QRadar Fixed an issue in outputs for the get-search-results command.
• Tenable.io Fixed an issue in the tenable-io-get-vulnerabilities-by-asset command.
• Palo Alto Networks WildFire v2
  • Added validation to the server parameter.
  • Fixed an issue with DBotScore context data.
• RSA NetWitness Packets and Logs Fixed an issue in query parsing.
• MISP V2 Added support to search events by tags using the logical operators AND, OR, and NOT.
• Stealthwatch Cloud Fixed an issue where incidents were fetched multiple times.
• Slack v2
  • Added Slack API rate limit call handling.
  • Added an optional parameter to specify a proxy URL to use with the Slack API.
• McAfee Advanced Threat Defense Fixed an issue with the integration's proxy settings.
• Proofpoint TAP v2
  • Fixed the fetch-incidents function, which did not fetch duplicate values.
  • Added the proofpoint-get-forensics command.
  • Added context outputs for the proofpoint-get-events command.
• SumoLogic
  • Added the fetchDelay parameter, which defines the time between fetch-incidents executions.
  • Added the fetchRecords parameter to fetch aggregate results (instead of messages).
  • Updated the SumoLogic logo.
• AWS - ACM Bugfix for Proxy/Insecure issues.
• Atlassian Jira (v2) Added the attachmentName parameter to the jira-issue-upload-file command, which sets the attachment name in Jira.
• nmap Fixed an issue in nmap scans with the -sn flag.
• Have I Been Pwned? V2 Added batch support for domain and email commands.
• Cofense Triage Fixed an issue with the test module.

4 Deprecated Integrations

• ExtraHop We recommend using the ExtraHop Reveal(x) integration instead.
• Azure Compute Deprecated.
• Azure Security Center Deprecated.
• AlienVault OTX We recommend using the AlienVault OTX v2 integration instead.

---

Scripts

2 New Scripts

• SetIfEmpty Checks an object for an empty value and returns a preset default value.
• ExtractFQDNFromUrlAndEmail Extracts FQDNs from URLs and emails.

7 Improved Scripts

• PositiveDetectionsVSDetectionEngines
  • Displays a bar chart of the number of Positive Detections out of overall detections. Tagged as dynamic-indicator-section.
  • Fixed an issue that made zero-values return wrong results.
• CommonServerPython BaseClient now uses the session function to maintain an open session with the server.
• FilterByList Added the option to search for an exact match.
• ExtractDomainFromUrlAndEmail Added support to identify URLs and domains prefixed with http: or http:\.
• UnEscapeURLs Added support to identify URLs and domains prefixed with http: or http:\.
• StixParser You can now parse single-object STIX 2 files.
• SumList
  • Fixed an issue with handling input as a comma-separated string.
  • Added support for floating numbers.

---

Playbooks

11 New Playbooks

• Access Investigation - Generic - NIST Investigates an access incident by gathering user and IP information, and handling the incident based on the stages in "Handling an incident - Computer Security Incident Handling Guide" by NIST.
• PAN-OS - Block Domain - External Dynamic List Blocks domains using Palo Alto Networks Panorama or Firewall External Dynamic Lists.
• Convert file hash to corresponding hashes Enables you to get all of the corresponding file hashes for a file even if there is only one hash type available.
• Tanium - Get Saved Question Result Uses generic polling to get saved question results.
• Endpoint Malware Investigation - Generic This playbook is triggered by a malware incident from an Endpoint type integration. The playbook performs enrichment, detonation, and hunting within the organization, and remediation on the malware.
• NIST - Handling an Incident Template This playbook contains the phases to handling an incident as described in the Handling an Incident section of NIST - Computer Security Incident Handling Guide.
• Prisma Cloud Remediation - AWS IAM Password Policy Misconfiguration Remediates Prisma Cloud AWS IAM password policy alerts.
• Prisma Cloud Remediation - AWS IAM Policy Misconfiguration Remediates Prisma Cloud AWS IAM policy alerts.
• NIST - Lessons Learned This playbook assists in processing an incident after it occurs and facilitates the lessons learned stage.
• FireEye Helix Archive Search Creates an archive search in FireEye Helix, and fetches the results as events.
• Tanium - Ask Question Uses generic polling to get question results.

6 Improved Playbooks

• Impossible Traveler The countries from which the user logged in are now saved in incident fields and are displayed in the layout.
• Isolate Endpoint - Generic Added playbook outputs.
• Panorama Query Logs Added the ip argument to the playbook.
• Phishing - Core Fixed an issue where Rasterize would attempt to run even if inactive.
• Traps Isolate Endpoint Added playbook outputs.
• Extract Indicators From File - Generic v2 Extracts indicators from a file.

---

Widgets

Improved Widget

• Page Break Widget Fixed an issue in the page break widget for PDF and DOC reports.

---

Incident Fields

• Threat Actor The threat actor.
• Host Name The host name.
• Previous Country The country from which the user previously logged in.
• NIST Stage The investigation's current NIST stage.
  • Associated to Malware incident type.
  • Associated the field with the Impossible Traveler event type.

---

Incident Layouts

New Incident Layout

• Malware - Summary Added a layout for the Malware incident type. Requires Demisto v5.0.

Improved Incident Layout

• Impossible Traveler - Summary Added a layout for the Impossible Traveler incident type.

---

Classification & Mapping

New Classification & Mapping

• Microsoft Graph Mail Single User Added a classifier for the Microsoft Graph Mail Single User integration.

---

Reputations

• Added support to identify URLs and domains prefixed with http: or http:\.
• Added support for FQDN extraction as a domain indicator type.

---

Assets

• Download: content_new.zip
• Browse the Source Code: Content Repo @ 19.11.1