Demisto Content Release Notes for version 19.6.1 (24849)

Published on 25 June 2019

Integrations

8 New Integrations

  • Anomali ThreatStream v2 Use the Anomali ThreatStream integration to query and submit threats.
  • Palo Alto Networks AutoFocus v2 Use the Palo Alto Networks AutoFocus v2 integration to access samples and session data.
  • BlueCat Use the BlueCat integration to enrich IP addresses and manage response policies.
  • Cloaken Use the Cloaken integration to unshorten URLs onsite using the power of a Tor proxy server to prevent leaking IP addresses to adversaries.
  • Cofense Triage Use the Cofense Triage integration to manage reports and attachments.
  • Intezer v2 Use the Intezer v2 integration to detect and analyze malware, based on code reuse.
  • Perch Use the Perch integration to manage alerts, indicators, and communities.
  • ThreatX Use the ThreatX integration to automate enforcement and intel gathering actions.

13 Improved Integrations

  • ArcSight ESM v2 Improved logging functionality.
  • EWS Mail Sender Improved handling of EWS concurrency limits.
  • Gmail Added proxy support.
  • ipstack Improved naming and descriptions.
  • Palo Alto Networks Cortex Added the Cortex XDR Analytics query type for fetch incidents.
  • Rasterize Improved error suppression.
  • McAfee ESM-v10
    • Fixed an issue with the logout process.
    • Added event information to fetched alarms.
  • Server Message Block (SMB) Added the server IP/hostname and NETBios (AD) name command arguments. They still exist as optional instance parameters.
  • IntSights Fixed an issue with fetching incidents.
  • Microsoft Graph Security Improved the flow for authenticating Demisto. You need to delete all current integration instances and configure new instances using the new authentication flow. For more information, see the Microsoft Graph Security documenation.
  • Microsoft Graph Mail Improved the flow for authenticating Demisto. You need to delete all current integration instances and configure new instances using the new authentication flow. For more information, see the Microsoft Graph Mail documenation.
  • Microsoft Graph User Improved the flow for authenticating Demisto. You need to delete all current integration instances and configure new instances using the new authentication flow. For more information, see the Microsoft Graph User documenation.
  • Microsoft Defender Advanced Threat Protection
    • Improved the flow for authenticating Demisto. You need to delete all current integration instances and configure new instances using the new authentication flow. For more information, see the Microsoft Defender Advanced Threat Protection documenation.
    • Added three new commands:
      • microsoft-atp-advanced-hunting: Run advanced queries as you would using the ATP portal.
      • microsoft-atp-create-alert: Create a new alert entity using event data, obtained from the Advanced Hunting.
      • microsoft-atp-get-alert-related-user: Retrieves the user associated with a specific alert.

Scripts

7 New Scripts

  • CheckEmailAuthenticity Checks email authenticity based on the email's SPF, DMARC, and DKIM.
  • D2Remove Removes the Demisto D2 agent from the system using the d2_remove command.
  • FindSimilarIncidents Identifies similar incidents by common incident keys, labels, custom fields, or context keys.
  • IntezerScanHost Scans the Intezer host.
  • Ping Pings an IP address or URL to verify that it is active.
  • GenerateSummaryReports Generates report summaries for the specified incidents.
  • IntezerRunScanner Runs the Intezer Endpoint Analysis Scanner.

Playbooks

7 New Playbooks

  • Detonate File - ThreatStream Detonates one or more files using the Anomali ThreatStream v2 integration. This playbook returns relevant reports to the War Room, and file reputations to the context data.
  • Detonate URL - ThreatStream Detonates one or more URLs using the Anomali ThreatStream v2 sandbox integration. Returns relevant reports to the War Room and URL reputations to the context data.
  • Intezer - Analyze Uploaded file Uploads a file to Intezer Analyze for analysis and enriches the file reputation.
  • Intezer - Analyze by hash Analyzes the given file hash on Intezer Analyze and enriches the file reputation. Supports SHA256, SHA1, and MD5.
  • Intezer - scan host Uses Demisto D2 agent to scan a host using Intezer scanner.
  • Send Investigation Summary Reports This playbook iterates over closed incidents, then generates a summary report for each closed incident, and emails the reports to specified users.
  • Send Investigation Summary Reports Job This playbook calls the sub-playbook, "Send Investigation Summary Reports", and closes the incident. By default, the playbook will search all incidents closed within the last hour. This playbook should run as a scheduled job, at an interval of once every 15 minutes.

2 Improved Playbooks

  • Extract Indicators From File - Generic File info data is ignored when checking Word documents.
  • Extract Indicators From File - Generic v2 File info data is ignored when checking Word documents.

Assets