Demisto Content Release Notes for version 20.2.0 (40231)

Published on 04 February 2020

Breaking Changes

Changed several indicator field names, which might cause backwards compatibility issues for mapping indicator fields.

Integrations

4 New Integrations

  • Devo v2
    Use the Devo v2 integration to query Devo for alerts, lookup tables, and to write to lookup tables.
  • CloudShark
    Use the CloudShark integration to upload, share, and collaborate on network packet capture files using your on-premises CS Enterprise system.
  • Palo Alto Networks - Prisma Cloud Compute
    Use the Prisma Cloud Compute integration to fetch incidents from your Prisma Cloud Compute environment.
  • Sixgill
    Use the Sixgill integration to fetch alerts as incidents. Sixgill provides alerts that are based on organization assets, enabling you to take proactive steps to eliminate and mitigate your threats.

14 Improved Integrations

  • Palo Alto Networks Cortex XDR - Investigation and Response
    • Fixed an issue where trailing whitespaces would effect outputs.
    • Implemented the Cortex XDR API v2.
    • Added 11 Traps commands.
    • xdr-isolate-endpoint
    • xdr-unisolate-endpoint
    • xdr-get-endpoints
    • xdr-insert-parsed-alert
    • xdr-insert-cef-alerts
    • xdr-get-audit-management-logs
    • xdr-get-audit-agent-reports
    • xdr-get-distribution-versions
    • xdr-get-distribution-url
    • xdr-get-create-distribution-status
    • xdr-create-distribution
  • Red Canary
    Fixed an issue with fetch-incidents in which detections were not properly fetched.
  • VulnDB
    Added the cve command, which returns CVE information.
  • Palo Alto Networks AutoFocus V2
    Added the autofocus-get-export-list-indicators command.
  • IBM QRadar
    Added immediate recovery for HTTP requests in case of connection error, which should help when QRadar SIEM is busy.
  • Microsoft Graph Mail
    Fixed an issue where the listing emails were not comparing the mail ID.
  • SplunkPy
    • The Test button now tests the fetch incidents function when the Fetch incidents option is selected.
    • Fixed an issue in the Splunk notable events ES query parameter where the time parameter was not passed to the table in Splunk.
  • Rasterize
    • Added support for specifying advanced Chrome options.
    • Improved rendering of large HTML files.
  • Mimecast
    Added the mimecast-update-policy command.
  • Demisto REST API
    Improved descriptions and fixed a typo.
  • Securonix
    • Added the Host parameter, which if supplied overrides the default hostname.
    • Added 4 commands.
      • securonix-create-incident
      • securonix-create-watchlist
      • securonix-check-entity-in-watchlist
      • securonix-add-entity-to-watchlist
  • Atlassian Jira (v2)
    Fixed an issue in the jira-get-issue command where retrieving issue attachments failed.
  • dnstwist
    Fixed an issue with creating outputs for the dnstwist-domain-variations command.
  • Kafka V2
    Improved the description of the kafka-fetch-partitions command.

Scripts

7 New Scripts

  • IsInternalHostName
    Checks if the supplied hostnames match either the organization's internal naming convention or the domain suffix.
  • CreateIndicatorsFromSTIX
    Creates indicators from the submitted STIX file. Supports STIX 1.0 and STIX 2.0.
  • PrismaCloudComputeParseAuditAlert
    Parses raw JSON data for Audit alerts.
  • PrismaCloudComputeParseComplianceAlert
    Parses raw JSON data for Compliance alerts.
  • PrismaCloudComputeParseVulnerabilityAlert
    Parses raw JSON data for Vulnerability alerts.
  • PrismaCloudComputeParseCloudDiscoveryAlert
    Parses raw JSON data for Cloud Discovery alerts.
  • YaraScan
    Performs a Yara scan on the supplied files.

6 Improved Scripts

  • SaneDocReports
    Fixed an issue where, in rare cases, investigation reports crashed.
  • UnzipFile
    Fixed an issue where the script returned the file metadata instead of the file contents.
  • ReadPDFFileV2
    Fixed an issue where the script failed for some PDF files with the error: Syntax Error: Invalid object stream Internal Error: xref num 2245 not found but needed, try to reconstruct<0a>.
  • ParseEmailFiles
    Added handling for EML files with no Content-Type header. The script will treat the file as email text with no attachments.
  • CommonServerPython
    Added the ip_to_indicator_type command.
  • XDRSyncScript
    Updated outputs and added additional alert outputs.

Playbooks

10 New Playbooks

  • *SANS - Incident Handler's Handbook Template
    This playbook contains the phases for handling an incident as they are described in the SANS Institute Incident Handler's Handbook by Patrick Kral.*
  • *SANS - Incident Handlers Checklist
    This playbook follows the "Incident Handler's Checklist" described in the SANS Institute Incident Handler's Handbook by Patrick Kral.
  • *SANS - Lessons Learned
    This playbook assists in post-processing an incident and facilitates the lessons learned stage, as presented by SANS Institute Incident Handler's Handbook by Patrick Kral.
  • Wait Until Datetime
    Pauses execution until the date and time that was specified in the playbook input is reached.
  • Prisma Cloud Compute - Cloud Discovery Alert
    The default playbook for parsing Prisma Cloud Compute Cloud Discovery alerts.
  • Prisma Cloud Compute - Vulnerability Alert
    Default playbook for parsing Prisma Cloud Compute vulnerability alerts.
  • Prisma Cloud Compute - Audit Alert
    Default playbook for parsing Prisma Cloud Compute audit alerts.
  • Splunk Indicator Hunting
    Queries Splunk for indicators such as file hashes, IP addresses, domains, or URLs. It outputs detected users, IP addresses, and hostnames related to the indicators.
  • Sixgill - DarkFeed - Indicators
    Extracts a STIX bundle and then uses the StixParser automation to parse and push indicators to Demisto.
  • Prisma Cloud Compute - Compliance Alert
    The default playbook for parsing Prisma Cloud Compute compliance alerts.

* Disclaimer: The SANS playbooks do not ensure compliance with SANS regulations.

3 Improved Playbooks

  • PANW - Hunting and threat detection by indicator type V2
    Fixed missing task link.
  • IT - Employee Offboarding
    Added functionality that enables offboarding employees on a future date.
  • IT - Employee Offboarding - Manual
    Added functionality that enables offboarding employees on a future date (manually).

Incident Fields

  • Offboarding Date
    The date and time when the employee offboarding process should begin. This incident field is associated to the new AWS EC2 Instance Misconfiguration incident type.

Incident Layouts

6 New Incident Layouts

  • AWS EC2 Instance Misconfiguration - Summary
  • Sixgill Threat - Summary
  • Prisma Cloud Compute Audit - Summary
  • Prisma Cloud Compute Compliance - Summary
  • Prisma Cloud Compute Cloud Discovery - Summary
  • Prisma Cloud Compute Vulnerability - Summary

2 Improved Incident Layouts

  • Employee Offboarding - Summary
    Added a field for the date and time when the offboarding process began.
  • Employee Offboarding - New/Edit
    Added an option to select a future date and time at which to begin employee offboarding.

Classification & Mapping

3 Improved Classification & Mapping

  • RedLock
    Added classification to the AWS EC2 Instance Misconfiguration incident type.
  • Cortex XDR - IR
    Added the host_count field to the mapping of the Cortex XDR integration, with the incident type Cortex XDR Incident. (Available from Demisto v5.0)
  • prismaCloud_app
    Added classification to the AWS EC2 Instance Misconfiguration incident type.


Assets