Demisto Content Release Notes for version 19.4.2 (22301)

Published on 30 April 2019

Integrations

10 New Integrations

  • ANY.RUN ANY.RUN is a cloud-based sandbox with interactive access.
  • Carbon Black Enterprise Protection V2 Carbon Black Enterprise Protection is a next-generation endpoint threat prevention solution to deliver a portfolio of protection policies, real-time visibility across environments, and comprehensive compliance rule sets in a single platform.
  • Cherwell Cherwell is a cloud-based IT service management solution.
  • Google BigQuery Google BigQuery is a data warehouse for querying and analyzing large databases.
  • Microsoft Graph Mail Microsoft Graph lets your app get authorized access to a user's Outlook mail data in a personal or organization account.
  • Microsoft Graph User Unified gateway to security insights - all from a unified Microsoft Graph User API.
  • OnboardingIntegration Creates mock email incidents using one of two randomly selected HTML templates. Textual content is randomly generated and defined to include some text (100 random words) and the following data (at least 5 of each data type): IP addresses, URLs, SHA-1 hashes, SHA-256 hashes, MD5 hashes, email addresses, domain names.
  • Symantec Management Center Symantec Management Center provides a unified management environment for the Symantec Security Platform portfolio of products.
  • FortiSIEM Search and update FortiSIEM events, and manage resource lists.
  • OPSWAT-Metadefender v2 OPSWAT-Metadefender is a multi-scanning engine that uses 30+ anti-malware engines to scan files for threats.

17 Improved Integrations

  • urlscan.io Added support for the urlscan-get-http-transactions script.
  • ServiceNow Added an option to select the timestamp field to filter by when fetching incidents. Enforcement of the fetch incidents limit and last run.
  • CounterTack Added two commands.
    • countertack-search-endpoints
    • countertack-search-behaviors
  • Gmail Added two commands.
    • gmail-list-filters
    • gmail-remove-filter commands
  • Fidelis Elevate Network Fixed the ioc filter in the fidelis-list-alerts command.
  • Atlassian Jira v2 Improved handling of IssueTypeName and issueJson in the jira-create-issue command.
  • PagerDuty v2 Added two commands.
    • PagerDuty-get-incident-data
    • PagerDuty-get-service-keys
  • Anomali ThreatStream Improved handling of partial responses from Anomali ThreatStream.
  • CrowdStrike Falcon Intel Fixed how dates are parsed in the cs-report command.
  • Intezer Several improvements to the file command.
    • Added the sha256 argument.
    • Invalid hashes are now regarded as a warning.
  • Palo Alto Networks Magnifier Fixed the integration name and logo.
  • Mail Sender (New) Improved error messages.
  • Palo Alto Networks Minemeld Fixed the integration display name.
  • Palo Alto Networks PAN-OS Added eight commands.
    • panorama-list-edl
    • panorama-get-edl
    • panorama-create-edl
    • panorama-edit-edl
    • panorama-delete-edl
    • panorama-refresh-edl
    • panorama-register-ip-tag
    • panorama-unregister-ip-tag
  • VirusTotal Added the fullResponseGlobal parameter. The parameter determines whether to return all results, which can number in the thousands. If true, returns all results and overrides the fullResponse and long arguments (if they are set to "false") in a command. If false, the fullResponse and long arguments in the command determines how results are returned.
  • Palo Alto Networks WildFire
    • Improved the file command.
      • Added the md5 and sha256 arguments.
      • Invalid hashes are now regarded as a warning.
    • Improved the wildfire-report command.
      • Added the sha256 argument.
      • Deprecated the hash argument.
    • Added the wildfire-get-sample command.
  • Zscaler Added the zscaler-sandbox-report command.

Deprecated

  • OPSWAT-Metadefender (Deprecated) Deprecated. Use the OPSWAT-Metadefender v2 integration instead.

Scripts

11 New Scripts

  • CherwellCreateIncident A sample script that creates an incident in Cherwell. The script wraps the cherwell-create-business-object command in the Cherwell integration.
  • CherwellGetIncident A sample script that retrieves an incident from Cherwell. The script wraps the cherwell-get-business-object command of the Cherwell integration.
  • CherwellIncidentOwnTask A sample script that links an incident to a task in Cherwell. The script wraps the cherwell-link-business-object command of the Cherwell integration.
  • CherwellIncidentUnlinkTask A sample script that unlinks a task from an incident in Cherwell. The script wraps the cherwell-unlink-business-object command of the Cherwell integration.
  • CherwellQueryIncidents A sample script that queries incidents from Cherwell. The script wraps the cherwell-query-business-object command of the Cherwell integration.
  • CherwellUpdateIncident A sample script that updates an incident in Cherwell. The script wraps the cherwell-update-business-object command of the Cherwell integration.
  • DBotPredictPhishingWords Predict text label using a pre-trained machine learning phishing model, and get the most important words used in the classification decision.
  • FileToBase64List Encode a file as base64 and store it in a Demisto list.
  • DemistoLeaveAllInvestigations Removes a user from all investigations of which they are involved in (clears the incidents in the left pane). Incidents that the user owns will remain in the left pane. Requires Demisto REST API integration to be configured for the server.
  • OnboardingCleanup Cleans up the incidents and indicators created by the OnboardingIntegration.
  • UrlscanGetHttpTransactions Provides the functionality to get the HTTP transactions made for a given URL using the UrlScan integration. To properly use this script, use it inside a playbook, and select to run it without a worker. This require less system resources in the polling action. In the playbook task that executes this script, go to the Advanced section and select the Run without a worker checkbox.

12 Improved Scripts

  • CheckDockerImageAvailable Improved the script to work with older demisto/python images.
  • ParseEmailFiles
    • Improved email file type detection.
    • Fixed an issue when EML files have special characters.
  • ADGetUser Enabled script execution with Active Directory Query instances only.
  • CommonServerPython Added the list type to raw_response in the raw_outputs command.
  • ExtractIndicatorsFromWordFile The automation executes as expected when the entry is a single object.
  • FetchFromInstance Improved script execution.
  • GenericPollingScheduledTask Added an option to pass CSV arguments and values to pollingCommandArgName.
  • ReadPDFFile Added an error when reading image files fails.
  • RunPollingCommand Added an option to pass CSV arguments and values to pollingCommandArgName.
  • ScheduleGenericPolling Added an option to pass CSV arguments and values to pollingCommandArgName.
  • UserEnrichAD Updated a dependency for the activedir brand.
  • IsIPInRanges
    • Removed the condition tag.
    • Improved description and of IP range input.

Playbooks

16 New Playbooks

  • Account Enrichment - Generic v2
    • Reduced indicator duplication.
    • Improved task names, descriptions, input selectors, and auto-extract settings.
    • The new version does not provide reputation.
  • Detonate File - ANYRUN Detonates one or more files using the ANY.RUN sandbox integration. Returns relevant reports to the War Room, and file reputations to the context data. All file types are supported.
  • Detonate File From URL - ANYRUN Detonates one or more remote files using the ANY.RUN sandbox integration. Returns relevant reports to the War Room, and file reputations to the context data. This type of analysis works only for direct download links.
  • Detonate URL - ANYRUN Detonates one or more URLs using the ANY.RUN sandbox integration. Returns relevant reports to the War Room, and URL reputations to the context data.
  • Domain Enrichment - Generic v2
    • Reduced indicator duplication.
    • Improved task names, descriptions, and auto-extract settings.
    • The new version does not provide reputation.
  • Email Address Enrichment - Generic v2
    • Reduced indicator duplication.
    • Improved playbook performance and execution.
    • The new version does not provide reputation.
  • Endpoint Enrichment - Generic v2
    • Reduced indicator duplication.
    • Improved task names and descriptions, and auto-extract settings.
    • Improved playbook performance and execution, and DT selector implementation.
    • Removed a deprecated SentinelOne integration.
  • Entity Enrichment - Generic v2 Improved playbook and sub-playbook performance and execution.
  • Entity Enrichment - Phishing v2 Customized for generic phishing investigations to avoid enrichment of irrelevant entities.
  • File Enrichment - Generic v2
    • Reduced indicator duplication.
    • Removed redundant sub-playbooks.
    • Simplified playbook structure and conditions.
    • The new version does not provide reputation.
  • IP Enrichment - Generic v2
    • Added two separate sub-playbooks; one for internal IPs and one for external IPs.
    • The new version does not provide reputation.
  • IP Enrichment - External - Generic v2
    • Added a new generic playbook for external IP enrichment
    • The new playbook does not provide reputation.
  • IP Enrichment - Internal - Generic v2
    • Added a new generic playbook for internal IP enrichment
    • The new playbook does not provide reputation.
  • PhishingDemo-Onboarding This playbook is part of the on-boarding experience, and focuses on phishing scenarios. To use this playbook, you'll need to enable the on-boarding integration and configure incidents of type Phishing. For more information, refer to the on-boarding walkthroughs in the help section.
  • Phishing Investigation - Generic v2 Improved entity enrichment to avoid enrichment of irrelevant entities.
  • URL Enrichment - Generic v2
    • Reduced indicator duplication.
    • Removed reputation commands.
    • Simplified playbook structure and implementation.
    • The new version does not provide reputation.

5 Improved Playbooks

  • Detonate File - Generic Added the ANYRUN File Detonation playbook.
  • Detonate URL - Generic Added the ANYRUN URL Detonation playbook.
  • Email Address Enrichment - Generic Adjusted version.
  • GenericPolling Added support for CSV arguments and values for PollingCommandArgName.
  • Process Email - GenericSetIncident now retrieves data from the correct context fields.

Incident Layouts

Improved Incident Layout

  • Phishing - Summary Updated phishing incident type layout.

Classification & Mapping

New Classification & Mapping

  • OnboardingIntegration Mapping to phishing incidents.

Assets