Demisto Content Release Notes for version 20.3.3 (44118)

Published on 17 March 2020

Integrations

6 New Integrations

  • Google Vision AI
    Use the Google Vision AI integration to perform image processing with the Google Vision API.
  • Amazon DynamoDB
    Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability.
  • RiskSense
    Use the RiskSense integration for vulnerability management and prioritization to measure and control cybersecurity risk.
  • Code42
    Use the Code42 integration to identify potential data exfiltration from insider threats while speeding investigation and response by providing fast access to file events and metadata across physical and cloud environments.
  • (BETA) Trend Micro Apex Trend Micro Apex central automation to manage agents and User-Defined Suspicious Objects.
  • (BETA) Proofpoint Server Protection Proofpoint email security appliance.

18 Improved Integrations

  • Expanse
    • Updated the Authorization header for the Events API to use the correct token.
    • Added a User-Agent header to assist with diagnostics/debugging.
  • Hybrid Analysis
    Added URL decoding for the hybrid-analysis-quick-scan-url command.
  • Pentera
    Fixed an issue with date parsing in the pentera-get-task-run-full-action-report command.
  • Qualys
    Added the REF field in context mapping.
  • Anomali ThreatStream v2
    Fixed handling of reputation commands with array input in cases where no reputation was found for a specific indicator.
  • FireEye HX
    Fixed an issue with encoding passwords with special characters, for example: ✓.
  • C2sec irisk
    Fixed an issue where the irisk-get-domain-issues command failed on KeyError.
  • Carbon Black Enterprise Response
    Changed the search alerts API v1 call to the API v2 call.
  • AlienVault OTX v2
    • Fixed an issue where the IP indicator type was incorrect.
    • Fixed an issue where the URL indicator score was a string.
  • VirusTotal
    Fixed an issue where detections with no positive values were treated as malicious.
  • SplunkPy
    Fixed an issue in the test command, which caused an out of memory error.
  • RSA NetWitness v11.1
    Fixed an issue with the get-incident command when the returned sources attribute is set to "[null]". Applicable to NetWitness 11.4.
  • Palo Alto Networks PAN-OS
    Improved handling of cases where a field value is None.
  • RSA NetWitness Packets and Logs
    Fixed query parsing in the netwitness-query command.
  • BPA
    Removed the PORT parameter from the configuration. This will not affect currently configured instances.
  • Whois
    Added the domain command to enable domain enrichment.
  • Elasticsearch v2
    Added support for API Key authentication.
  • RSA Archer
    Fixed an issue where the following commands failed on numeric incident IDs.
    • archer-update-record
    • archer-delete-record
    • archer-upload-file
    • archer-add-to-detailed-analysis
    • archer-get-record

Scripts

New Script

  • VerifyJSON
    Verifies if the supplied JSON string is valid, and optionally verifies against a provided schema. The script utilizes Powershell's Test-JSON cmdlet.

4 Improved Scripts

  • DBotTrainTextClassifierV2
    Added support for training on a boolean target field.
  • ReadPDFFileV2
    Fixed an issue with URL extraction from PDF files.
  • DockerHardeningCheck
    Decreased the CPU check sensitivity to accommodate loaded systems.
  • FindSimilarIncidents
    Added support for the "\" character in incident fields.

Playbooks

3 New Playbooks

  • Prisma Cloud Remediation - AWS IAM User Policy Misconfiguration
    Remediates the following Prisma Cloud AWS IAM User alerts.
    • Prisma Cloud policies remediated.
    • AWS IAM user has two active Access Keys.
  • Code42 Exfiltration Playbook
    The Code42 Exfiltration playbook acts on Code42 Security Alerts, retrieves file event data, and allows security teams to remediate file exfiltration events by revoking access rights to cloud files or containing endpoints.
  • Code42 File Search
    Searches for files via Code42 security events by either MD5 or SHA256 hash. The data is output to the Code42.SecurityData context.

4 Improved Playbooks

  • PAN-OS EDL Setup v2
    Fixed missing letter in device mode(l).
  • Prisma Cloud Remediation - AWS IAM Policy Misconfiguration
    Added the Prisma Cloud Remediation - AWS IAM User Policy Misconfiguration sub-playbook.
  • Calculate Severity - Critical Assets v2
    Fixed an issue that caused the Critical Assets field to be populated partially or not at all.
  • PAN-OS Commit Configuration
    Fixed a bug where the commit failed but the playbook succeeded. Now it will fail on an unsuccessful commit or push.

Layouts

2 New Layouts

  • AWS CloudTrail Misconfiguration - Summary
  • Code42 Security Alert - Summary

Classification & Mapping

2 Improved Classification & Mapping

  • PrismaCloud App
    Added classification to the AWS CloudTrail Misconfiguration incident type.
  • RedLock
    Added classification to the AWS CloudTrail Misconfiguration incident type.

XSOAR 5.5 Beta Release


Feeds

3 New Feeds

  • AlienVault OTX TAXII Feed
    Fetches indicators from AlienVault OTX using a TAXII client.
  • Plain Text Feed
    Fetches indicators from a plain text feed.
  • Elasticsearch Feed
    Fetches indicators stored in an Elasticsearch database.

5 Improved Feeds

  • TAXII Feed
    You can now use the API header and API key in the credentials fields when configuring an integration instance.
  • Cofense Feed
    Added the DomainGlob indicator type to the feed's output, which might be applied when domains are returned.
  • Office 365 Feed
    • Added the DomainGlob indicator type to the feed's output, which might be applied when domains are returned.
    • Added mapping to new indicator fields.
  • Proofpoint Feed
    Added the DomainGlob indicator type to the feed's output, which might be applied when domains are returned.
  • Recorded Future RiskList Feed
    Added the DomainGlob indicator type to the feed's output, which might be applied when domains are returned.

Integrations

2 Improved Integrations

  • Export Indicators Service
    • Added the offset parameter to the eis-update command.
    • Added support for the following inline URL parameters.
      • n - The number of indicators to fetch.
      • s - The first index from which to fetch indicators.
      • v - The output format for indicators.
      • q - The query that defines which indicators to fetch.
  • Palo Alto Networks PAN-OS EDL Service Added integration parameter options for formatting indicator values to the expected input standards of PAN-OS.

Assets