Demisto Content Release Notes for version 20.2.4 (42218)

Published on 24 February 2020

5.5 Beta Release Notes

Feeds

25 New Feeds in 5.5.0 Beta

We added several inbound and outbound feeds for threat intelligence management.

22 Inbound Feeds
  • abuse.ch SSL Blacklist Feed
  • DShield Feed
  • Cofense Feed
  • Azure Feed
  • Office 365 Feed
  • Blocklist_de Feed
  • Recorded Future RiskList Feed
  • BruteForceBlocker Feed
  • AutoFocus Feed
  • Cloudflare Feed
  • Proofpoint Feed
  • Bambenek Consulting Feed
  • Tor Exit Addresses Feed
  • AlienVault Reputation Feed
  • Feodo Tracker IP Blocklist Feed
  • Feodo Tracker Hashes Feed
  • Spamhaus Feed
  • AWS Feed
  • Office365 Feed
  • CSV Feed
  • Malware Domain List Active IPs Feed
  • Fastly Feed
3 Outbound Feeds
  • Export Indicators Service
  • Palo Alto Networks PAN-OS EDL Service
  • TAXII Feed

Integrations

New Integration in 5.5 Beta

  • Elasticsearch v2
    • Searches for and analyzes data in real-time.
    • Supports version 6 and up.

Scripts

New Script in 5.5.0 Beta

  • FetchIndicatorsFromFile Fetches indicators from a file.

Playbooks

11 New Playbooks in 5.5 Beta

  • Process Domain Indicators
  • Process Hash Indicators
  • Process IP Indicators
  • Process Url Indicators
  • ArcSight Add Domain Indicators
  • ArcSight Add IP Indicators
  • ArcSight Add Hash Indicators
  • QRadar Add Domain Indicators
  • QRadar Add IP Indicators
  • QRadar Add Hash Indicators
  • QRadar Add Url Indicators

Dashboard

New Dashboard in 5.5.0 Beta
  • Threat Intelligence Management

Widgets

4 New Widgets

  • Elastic Disk Current Usage Elastic Disk Current Usage %.
  • Elastic JVM Memory Current Usage Elastic JVM Memory Current Usage %.
  • Elastic Memory Current Usage Elastic Memory Current Usage %.
  • Elastic CPU Current Usage Elasticsearch CPU Current Usage %.

Incident Layouts

10 New Incident Layouts in 5.5.0 Beta

  • emailRep - Indicator Details Updated the layout for the Email indicator type.
  • Indicator Feed - New/Edit Added the ability to edit the layout for the Indicator Feed incident type.
  • unifiedFileRep - Indicator Details Updated the layout for the File indicator type.
  • urlRep - Indicator Details Updated the layout for the URL indicator type.
  • domainRep - Indicator Details Updated the layout for the Domain indicator type.
  • hostRep - Indicator Details Updated the layout for the Host indicator type.
  • cveRep - Indicator Details Updated the layout for the CVE indicator type.
  • registryKey - Indicator Details Updated the layout for the Registry Key indicator type.
  • ipRep - Indicator Details Updated the layout for the IP indicator type.
  • accountRep - Indicator Details Updated the layout for the Account indicator type.

Integrations

8 New Integrations

  • Google Chronicle Backstory Use the Google Chronicle Backstory integration to retrieve Asset alerts or IOC Domain matches as Incidents. Use it to fetch a list of infected assets based on the indicator accessed.
  • Pentera An Integration with Pentera by Pcysys.
  • Claroty Use the Claroty CTD integration to manage assets and alerts.
  • Expanse The Expanse App for Demisto leverages the Expander API to retrieve network exposures and create incidents in Demisto. This application also enables IP and Domain enrichment, retrieving assets and exposures information drawn from Expanse.
  • IBM X-Force Exchange (v2) Use the IBM X-Force Exchange integration to receive threat intelligence about applications, IP addresses, URLs, and hashes.
  • CounterCraft Deception Director Use the CounterCraft Deception Solution integration to detect advanced adversaries and to automate counterintelligence campaigns to discover targeted attacks with real-time active response.
  • Indeni Indeni is turn-key automated monitoring providing visibility for security infrastructure. Indeni's production-ready Knowledge is curated from vetted, community-sourced experience, to deliver automation of tedious tasks with integration with your existing processes.
  • illuminate This integration utilizes AnalystPlatform's Illuminate system to enrich Demisto indicators.

9 Improved Integrations

  • MISP V2 Fixed the default value for the PREDEFINED argument in the misp-search command.
  • DomainTools Iris Improved the integration description.
  • Micro Focus Service Manager Improved the descriptions for several parameters and commands.
  • SplunkPy Added support for comma-separated values in the splunk-parse-raw command.
  • Palo Alto Networks PAN-OS
    • Added 2 commands.
      • panorama-register-user-tag
      • panorama-unregister-user-tag
  • Zscaler
    • Fixed an issue where the url command in Zscaler did not create an indicator in Demisto.
    • Fixed the url and ip commands the in Zscaler output descriptions.
    • Fixed an issue where the zscaler-category-add-url command failed when passing multiple URLs separated with spaces.
    • Fixed an issue where the zscaler-undo-blacklist-url command always failed with the error "Given URL is not blacklisted".
    • Fixed an issue where the zscaler-undo-blacklist-ip command always failed with the error "Given IP is not blacklisted".
    • Fixed an issue where the zscaler-undo-whitelist-url command always failed with the error "Given host address is not whitelisted.".
    • Fixed an issue where the zscaler-undo-whitelist-ip command always failed with the error "Given IP address is not whitelisted.".
    • Updated command executions to always activate changes after API calls and close session. This fixes issues related to the session not being authenticated or timing out.
  • McAfee DXL Added certificate validation.
  • McAfee Threat Intelligence Exchange Added certificate validation.
  • Qualys Fixed an argument name in the qualys-schedule-scan-list command.

Scripts

New Script

  • ExpanseParseRawIncident Parses an Expanse incident from raw JSON to readable output.

2 Improved Scripts

  • FilterByList Added the name of the compared list to the context.
  • XDRSyncScript Fixed an issue where an incident was modified in XDR but not updated in Demisto.

Playbooks

6 New Playbooks

  • Claroty Manage Asset CVEs
  • Claroty Incident
  • Indeni Demo
  • Pentera Run Scan
  • Expanse Incident Playbook Parses incident from Expanse in raw JSON to readable output.
  • NetSec - Palo Alto Networks DUG - Tag User Block a user by tagging them in the Palo Alto Networks NGFW. Requires PAN-OS 9.1 or later.

3 Improved Playbooks

  • NetOps - Firewall Version and Content Upgrade Updated playbook descriptions and task names.
  • NetOps - Upgrade PAN-OS Firewall Device Updated playbook descriptions and task names.
  • Block Account - Generic Added the PAN-OS Dynamic User Groups commands to the playbook.

Incident Layouts

12 New Incident Layouts

  • accountRep - Indicator Details
  • hostRep - Indicator Details
  • Expanse Appearance - Summary
  • domainRep - Indicator Details
  • Claroty Integrity Incident - Summary
  • cveRep - Indicator Details
  • unifiedFileRep - Indicator Details
  • registryKey - Indicator Details
  • Claroty Security Incident - Summary
  • ipRep - Indicator Details
  • emailRep - Indicator Details
  • urlRep - Indicator Details

Assets