Demisto Content Release Notes for version 20.1.2 (38873)

Published on 21 January 2020

Integrations

5 New Integrations

  • Securonix
    Use the Securonix integration to manage incidents and watchlists.
  • Digital Defense Frontline VM
    Use the Digital Defense Frontline VM to identify and evaluate the security and business risks of network devices and applications deployed as premise, cloud, or hybrid network-based implementations.
  • BPA
    Use the Palo Alto Networks Best Practice Assessment (BPA) integration to analyze NGFW and Panorama configurations and compare them to the best practices.
  • Google Cloud Translate
    Use the Google Cloud Translate integration to translate text to supported languages.
  • Kenna v2
    Use the Kenna v2 integration to search and update vulnerabilities, schedule a run connector, and manage tags and attributes.

12 Improved Integrations

  • Active Directory Query v2
    Added 2 commands.
    • ad-create-group
    • ad-delete-group
  • SplunkPy
    Added the splunk-submit-event-hec command.
  • Atlassian Jira (v2)
    • Fixed the description of the reporter argument in the jira-create-issue command.
    • Fixed an issue where an error was raised when trying to fetch incidents and the idOffset was not configured.
  • Palo Alto Networks MineMeld
    Added the type argument, which specifies the indicator type, to the following commands.
    - ***minemeld-add-to-miner***
    - ***minemeld-remove-from-miner***
  • Microsoft Graph Mail
    Added support to authenticate using a self-deployed Azure application.
  • IntSights
    • Improved logging for fetch_incidents.
    • Improved error handling.
  • AttackIQ Platform
    Added 4 commands.
    • attackiq-list-assessment-templates
    • attackiq-list-assets
    • attackiq-create-assessment
    • attackiq-add-assets-to-assessment
  • Palo Alto Networks Traps
    Fixed an issue where running a scan on an endpoint failed but the War Room entry displayed a success message.
  • IBM QRadar
    Added the Full Incident Enrichment instance parameter. Clear this checkbox to disable QRadar offense enrichment performed in fetch-incidents. This might help if you encounter a timeout while fetching new incidents.
  • Palo Alto Networks PAN-OS
    Fixed an issue where trying to download a filter-pcap with the necessary arguments did not return the correct results.
  • Microsoft Teams
    • Added the ability to mention users in the send-notification command.
    • Added 2 commands.
      • add-user-to-channel
      • create-channel
  • Microsoft Graph Mail Single User
    Added support to authenticate using a self-deployed Azure application.

1 Deprecated Integration

  • Kenna
    Use the Kenna v2 integration instead.

Scripts

3 New Scripts

  • SetAndHandleEmpty
    Checks if a specified item was returned in the search results. If the item was returned, they are set in Context. Otherwise, no value is set.
  • GetValuesOfMultipleFields
    Receives a list of fields and a context key base path. For example, Key=demisto.result List=username,user and will get all of the values from demisto.result.username and demisto.result.user. The Get field of the task must have the value ${.=[]}.
  • MicrosoftApiModule
    Common Microsoft code that will be appended into each Microsoft integration when it's deployed.

6 Improved Scripts

  • FindSimilarIncidents Shortened the query time range to improve index usage.
  • IsIPInRanges
    Added two non-routable IP address ranges.
    • 127.0.0.0/8 (localhost)
    • 169.254.0.0(apipa)
  • DBotTrainTextClassifierV2
    Added error messages for cases when the total number of incidents is less than the default threshold.
  • DBotPredictPhishingWords
    Added the emailBodyHTML argument, which enables you to pass the raw HTML of the email body.
  • SetIfEmpty
    • Added support for unicode default values.
    • Consider "None" string as empty.
  • PositiveDetectionsVSDetectionEngines
    Fixed an issue where the script displayed error messages when required fields were not supplied.

Playbooks

8 New Playbooks

  • QRadar Indicator Hunting V2
    Queries QRadar SIEM for indicators such as file hashes, IP addresses, domains, and URLs.
  • Digital Defense FrontlineVM - Scan Asset Not Recently Scanned
    Pulls the IP address from the details value of an incident and checks if that asset has been scanned within the past 60 days. If not, then it will prompt to perform a scan on the asset.
  • Run Panorama Best Practice Assessment
    Runs Palo Alto Best Practice Assessment checks for a Panorama instance.
  • Digital Defense FrontlineVM - PAN-OS block assets
    Pulls Panorama queried threat logs and checks for any correlating assets that are found to have a minimum number of high level vulnerabilities. If so, it will block the the IP address using the Panorama PAN-OS - Block IP and URL - External Dynamic List playbook.
  • Prisma Cloud Remediation - AWS EC2 Security Group Misconfiguration
    Remediates the Prisma Cloud AWS EC2 alerts generated by the following policies.
    • AWS Default Security Group Does Not Restrict All Traffic.
    • AWS Security Groups Allow Internet Traffic.
    • AWS Security Groups With Inbound Rule Overly Permissive To All Traffic.
  • PANW - Hunting and threat detection by indicator type V2
    This is a multipurpose playbook used for hunting and threat detection. The playbook receives inputs based on hashes, IP addresses, or domain names. The inputs can be provided manually or taken from the outputs of other playbooks. The playbook leverages Palo Alto Cortex data received by products such as Traps, Analytics, and Pan-OS to search for IP addresses and hosts related to that specific hash. The playbook output facilitates pivoting searches for possibly affected hosts, IP addresses, or users.
  • Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration
    Remediates Prisma Cloud AWS EC2 alerts and utilizes a number of sub-playbooks that manage EC2 policies.
  • Digital Defense FrontlineVM - Old Vulnerabilities Found
    Queries the Frontline.Cloud active view for any critical vulnerabilities found that are older than 90 days.

4 Improved Playbooks

  • PAN-OS - Block IP and URL - External Dynamic List
    Fixed an issue with EDL refresh for Panorama.
  • Phishing Investigation - Generic v2
    Added tasks that predict the phishing incident verdict when a phishing ML model exists. The verdict refers to the phishing category.
  • PAN-OS - Block Domain - External Dynamic List
    Fixed an issue with EDL refresh for Panorama.
  • Intezer - scan host
    Removed role requirements.

2 Deprecated Playbooks

  • PANW - Hunting and threat detection by indicator type
    Use the PANW - Hunting and threat detection by indicator type V2 playbook instead.
  • QRadar Indicator Hunting
    Use the QRadar Indicator Hunting V2 playbook instead.

Incident Fields

  • DBotTextSuggestionHighlighted
    Indicates the words in the text that contributed to the decision made by the ML model.
  • DBotPrediction
    The phishing sub-type verdict that was predicted by the ML model.
  • DBotPredictionProbability
    The confidence level, presented as a value between 0 and 1, of the predicted phishing sub-type verdict by the machine-learning model. Associated to the AWS IAM Policy Misconfiguration incident type.

Incident Layouts

New Incident Layouts

  • AWS IAM Policy Misconfiguration - Summary Associated to the AWS IAM Policy Misconfiguration incident type.

Improved Incident Layouts

  • Phishing - Summary Added the Machine Learning prediction section.

Classification & Mapping

2 Improved Classification & Mapping

  • prismaCloud_app Added classification to the AWS IAM Policy Misconfiguration incident type.
  • RedLock Added classification to the AWS IAM Policy Misconfiguration incident type.

Assets