Demisto Content Release Notes for version 19.4.0 (20832)

Published on 02 April 2019

Integrations

6 New Integrations

  • CrowdStrike Falcon The CrowdStrike Falcon OAuth 2 API integration (formerly Falcon Firehose API), enables fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment.
  • ExtraHop ExtraHop performs real-time stream analysis of the packets that carry data across a network.
  • Signal Sciences WAF Protect your web application using Signal Sciences.
  • Snowflake Analytic data warehouse provided as Software-as-a-Service.
  • Tufin Retrieve and analyze network access controls across Tufin-managed firewalls, SDN, and public cloud to identify vulnerable access paths of an attack.
  • Vertica Analytic database management software.

23 Improved Integrations

  • Active Directory Query v2
    • Added the context-output argument to the ad-search command. If the argument is set to no, the command will not output results.
    • Improved functionality of the size-limit argument in the ad-search command.
  • ArcSight ESM v2 Added an integration instance parameter that limits the number of incidents that are fetched each time.
  • Azure Compute Fixed an issue with the azure-vm-create-instance command.
  • Palo Alto AutoFocus
    • Fixed an issue with entry tables.
    • Improved handling of HTTP errors.
  • Centreon Fixed proxy logic.
  • Cisco Umbrella Investigate Added a threshold parameter to the integration instance configuration, which can override the default malicious score.
  • CrowdStrike Falcon Sandbox Improved how URLs are submitted to CrowdStrike.
  • Cyber Triage Added support for Cyber Triage 2.6.
  • DUO Admin Renamed the 1_minutes_ago argument to 1_minute_ago.
  • McAfee ESM-v10
    • Improved how incidents are fetched.
    • Added support for ESM timezone.
    • The esm-get-cases-list command now supports filtering by time range.
    • Added the time format parameter.
  • Endgame Improved descriptions for the endgame-deploy argument.
  • HashiCorp Vault
    • Improved integration test error messages.
    • Fixed several issues with fetching credentials.
    • The list-secrets command now supports KV1 engines.
  • LogRhythm Added several outputs and updated context.
  • Mail Sender (New)
    • Improved error handling and messaging.
    • Added the FQDN parameter to the integration instance configuration.
  • McAfee Advanced Threat Defense Improved error messages for incorrect username, incorrect password, and incorrect header.
  • Palo Alto Minemeld
    • Added validation of deleting indictors from miners of type localDB.
    • Added default values to the threat intel commands.
  • Palo Alto Networks Cortex Implemented OAuth2 authentication.
  • Palo Alto Firewall and Panorama
    • Added the panorama-get-pcap and panorama-list-pcaps commands.
    • Improved error messages, handling of invalid inputs, catch move-rule errors and display them as message.
  • Server Message Block (SMB)
    • Added the smb-upload command.
    • Added option to print out the contents of a file instead of downloading it.
  • urlscan.io
    • Add RediredctedURLs and EffectiveURL data from the !url command to context.
    • Added the threshold parameter to the integration instance configuration.
  • VirusTotal - Private API
    • The vt-private-get-url-report command now supports multiple URLs.
    • Fixed an issue with the API.
    • Added context for the get-url, file, and domain-report commands.
    • Fixed DBot score in the ip-report command.
    • Added the Preferred Vendors List and Preferred Vendors Threshold parameters, which help determine if files and URLs are malicious.
  • Zscaler Fixed an issue with the rate limit error. Now several requests in short interval will produce a retry in case of failure.

Scripts

New Script

  • FindSimilarIncidents Find similar incidents by common incident keys, labels, custom fields, or context keys. We recommend using incident keys if possible, for example: "type" for the same incident type. For performance reasons, we recommend avoid using context keys if possible, for example, if the value also appears in the label key, use "label".

7 Improved Scripts

  • CheckDockerImageAvailable Checks if a Docker image is accessible for pull commands.
  • CommonServerPython Added proxy handling method.
  • FilterByList Updated the context when the list is empty.
  • IsMaliciousIndicatorFound Fix to only depend on DBotScore.Score.
  • ReadFile Fixing unicode parsing error.
  • ReadPDFFile Improved the error message when the script fails on reading encrypted files.
  • StixParser Added support for STIX2.0.

Playbooks

2 Improved Playbooks

  • Extract Indicators From File - Generic Improved the Is there a PDF file task, which checks if file.type and file.info contains pdf.
  • Process Email - Generic Improved detection of attachments that are emails.

Reports

12 Improved Reports

  • Critical and High incidents Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field.
  • Daily incidents Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field.
  • Critical and High incidents Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field.
  • Daily incidents Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field.
  • Investigation Summary Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field.
  • Open Incidents Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field.
  • Investigation Summary Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field.
  • Last 24 hours incidents Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field.
  • Last 30 days incidents Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field.
  • Last 7 days incidents Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field.
  • Open Incidents Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field.
  • Unknown severity incidents Changed the occurred default date format in the decoder, which enables selecting an individual time format for each field.

Widgets

Improved Widget

  • Mentions Only unread messages are now displayed.

Incident Layouts

4 Improved Incident Layouts

  • Access - Summary Applied incident source fields.
  • Malware - Summary Applied incident source fields.
  • Phishing - Summary Removed 'Email Body HTML' from default Phishing incident type summary layout.
  • Vulnerability - Summary Applied incident source fields.

Assets