Demisto Content Release Notes for version 20.1.0 (37812)

Published on 07 January 2020

Notice: Breaking Change

This content update renames the incident field Account to Account Name. This change affects backward compatibility if the field was already implemented in custom content artifacts.


12 Improved Integrations

  • Palo Alto Networks AutoFocus V2
    Improved error handling for the reputation commands.
    • ip
    • domain
    • file
    • url
  • Palo Alto Networks PAN-OS
    • Fixed an issue when trying to download a threat-pcap without the required arguments.
    • Improved the error message when trying to download PCAPs from a Panorama instance.
    • You can now specify multiple values (list) for the source, destination, and application arguments in the following commands.
      • panorama-create-rule
      • panorama-custom-block-rule
      • panorama-edit-rule
    • Added 4 commands.
      • panorama-list-static-routes
      • panorama-get-static-route
      • panorama-add-static-route
      • panorama-delete-static-route
    • Fixed an issue in the panorama-list-pcaps command when there are no PCAPs in PAN-OS.
  • SplunkPy
    Fixed an issue with access to a non-existing key when fetching non-ES events.
  • Carbon Black Enterprise Response
    Added the Maximum number of incidents to fetch parameter, which specifies the maximum number of incidents to create per fetch.
  • Cybereason
    Fixed an issue where the cybereason-query-file command did not pull specific hashes.
  • Zendesk
    Added the check_if_user_exists argument to the zendesk-add-user command, which checks if the user already exists in the system. If set to "True" and the user exists, an error is thrown.
  • IBM QRadar
    Fixed an issue with fetch-incidents that truncated the incident name when the description included new lines (line breaks).
  • Gmail
    • You can now run the following commands against user accounts when you have admin credentials.
      • gmail-delegate-user-mailbox
      • gmail-set-autoreply
  • ThreatQ v2
    • Added the threatq-advanced-search command, which runs an advanced indicator search.
    • Added TLP values to indicator outputs.
  • Google Vault
    Added support for group email (in addition to accountID) for the gvault-create-hold command.
  • EWS Mail Sender
    Fixed an issue with email subject unicode for the send-mail command.
  • Palo Alto Networks WildFire v2
    Fixed an issue WHERE the wildfire-report command did not return outputs for non-malicious URLs.


3 New Scripts

  • ProductJoin
    This script takes two lists, joined by a separator, and returns a list of strings.
  • DemistoVersion
    Returns the Demisto server version.
  • DockerHardeningCheck
    Checks if the Docker container running this script has been hardened according to the recommended settings. For more information, see the Docker Hardening Guide.

6 Improved Scripts

  • ConvertFile
    Fixed an issue where child processes were defunct after converting PDF files to HTML.
  • StixParser
    Removed firstSeen as qualifier for STIX 2 object.
  • SetIfEmpty
    Fixed an issue where the transformer would fail when applied to a number field.
  • Set
    Added the stringify argument, which enables you to save numbers as strings.
  • RepopulateFiles
    Fixed an issue in which the script took all of the last entries and not only the attachments. This resulted in reaching the page limit of 1,000 entries and causing suboptimal performance.
  • CommonServerPython
    • Added the argToBoolean command, which accepts an input value of type string or boolean and converts it to boolean.
    • Added the batch command, which accepts an iterable and specifies how many items to return, and yields batches of that size.


8 New Playbooks

  • PAN-OS - Delete Static Routes This playbook deletes a PAN-OS static route from the PAN-OS instance.
  • PAN-OS - Add Static Routes This playbook accepts a PAN-OS static route configuration and creates it in the PAN-OS instance.
  • Employee Offboarding - Gather User Information This playbook gathers user information as part of the IT - Employee Offboarding.
  • Employee Offboarding -Delegate This playbook delegates user resources and permissions as part of the IT - Employee Offboarding playbook.
  • Employee Offboarding - Revoke Permissions This playbook revokes user permissions as part of the IT - Employee Offboarding.
  • Employee Offboarding - Retain & Delete This playbook performs retention and deletion of user information as part of the IT - Employee Offboarding playbook.
  • IT - Employee Offboarding This playbook offboards company employees to maintain organizational security.
  • IT - Employee Offboarding - Manual This playbook provides a manual alternative to the IT - Employee Offboarding playbook.

2 Improved Playbooks

  • Convert file hash to corresponding hashes
    • Fixed an issue in which converting a file hash to corresponding hashes failed.
    • Streamlined playbook structure by removing set tasks.
  • Active Directory - Get User Manager Details
    Fixed an issue where the display name of the original user was returned in addition to the manager's display name.

Incident Fields

Replaced the Account field with the Account Name field.

Note: This will affect backward compatibility if the field was already implemented in any content artifacts.

New 20 Incident Fields

  • Active Directory - Account Status
  • Active Directory - Display Name
  • Active Directory - Password Status
  • Company Property Status
  • GSuite - Device Account Status
  • Google Account Status
  • Google Admin Roles Status
  • Google Display Name
  • Google Drive Status
  • Google Mail Status
  • Google Password Status
  • Duo Account Status
  • Email Auto Reply
  • Mailbox Delegation
  • Employee Display Name
  • Employee Email
  • Employee Manager Email
  • Global Directory Visibility
  • Offboarding Stage
  • Okta Account Status

Incident Layouts

New 2 Incident Layouts

  • Employee Offboarding - Details
  • Employee Offboarding - New

Improved Incident Layout

  • Prisma Cloud - Summary
    Replaced the Account field with the Account Name field.

Incident Types

New Incident Type

  • Employee Offboarding

Classification & Mapping

2 Improved Classification & Mapping

  • prismaCloud_app
    Replaced the Account field with the Account Name field.
  • RedLock
    Replaced the Account field with the Account Name field.